mega-chrome
MEGA Chrome extension trojanized via developer account compromise
On 2018-09-04 at 14:30 UTC, attackers compromised MEGA's Chrome Web Store developer account and published v3.39.4 of the official MEGA extension with credential-stealing code added to it. The trojanized extension intercepted POST requests containing common login field names and exfiltrated credentials for Amazon, GitHub, Google, and Microsoft, plus private keys for MyEtherWallet and MyMonero and credentials for the Idex.market exchange, sending data to megaopac.host (176.119.1.146, Ukraine). Google removed the extension at 19:19 UTC; the malicious version was live for approximately 4 hours. Clean v3.39.5 was published shortly after.
- Date
- 2018-09-04
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Credential theft
- Cause
- Compromised developer account
What Was Affected
Package
mega-chrome
Languagejavascript
ComponentExtension
Artifact typeextension package
Domain typepackage host
Domain
chromewebstore.google.com
Compromised Versions
- 3.39.4
Incident Context
- Motive
- Credential theft
- Attribution
- Unknown attacker
- Transitive
- No
- User Impact
- 1600000
- Observed Duration
- 0 days
Evidence
Current Artifacts and Analysis
External References
Source Data
Source record: proprietary/mega-chrome/meta.yaml