Nano extensions shipped malicious updates

Nano Adblocker and Nano Defender were Chromium extensions derived from the uBlock Origin ecosystem. In October 2020, maintainer Hugo Xu announced he no longer had time to maintain the projects and transferred the Chrome Web Store rights to new developers.

The trust boundary moved with the store listing. Existing users did not install a lookalike extension; their browsers accepted updates under the established Nano extension identities. Raymond Hill and community reviewers quickly warned that the new releases contained malicious code.

The payload collected browsing data and sent a report file to def.dev-nano.com. Users also observed browser sessions issuing Instagram likes without user action, which showed that extension privileges reached authenticated social sessions.

Google removed the extensions from the Chrome Web Store after the reports. The Firefox variants were maintained separately and were reported not to have received the malicious Chrome Web Store code, so this record is scoped to the Chromium distribution path.

Motive

Data Theft

Attribution

Maintainer

Cause

Maintainer Ownership Transfer

Transitive

No

Actor

New maintainer

User Impact

300000

• domaindef.dev-nano.com
• urlhttps://def.dev-nano.com/
• filereport
• observableBrowsers issued Instagram likes without user action.
• observableChrome Web Store rights were sold to new developers before malicious updates.

• Adblockers installed 300,000 times are malicious and should be removed nowarstechnica.com
• Discussions regarding recent changes to the Nano projectsgithub.com
• Announcement - Recent and upcoming changes to the Nano projectsgithub.com