Two popular browser extensions that posed as free VPN services have been caught stealing users’ clipboard data. The Chrome and Firefox add-ons secretly collected everything users copied while keeping their proxy features working to appear legitimate.
The extensions operated under the VPN Go branding. The Chrome version had about 146 active installations, while the Firefox version had 3,499 users at the time of discovery. Socket, an emerging developer-first cybersecurity platform, notified both browser vendors about the malicious add-ons and requested their removal from the official stores.
The developer introduced the clipboard theft through what looks like ordinary updates. The Chrome extension initially worked as a clean proxy tool when it launched in December last year. The malicious code arrived in a later version published at the end of May this year.
Clipboard thieves are especially dangerous since many people habitually copy personal data and passwords to their clipboards. By exploiting the browser permissions but not the operating system itself, attackers can capture these secrets with little or no visibility to the user.
How the malicious extensions operated
The Chrome extension’s malicious code was activated on every website a user visited. It checked the clipboard every half-second for new content. The script broke the copied text into segments and created a unique session marker. Afterward, it forwarded everything to a background handler that transmitted it out.
The extension ignored duplicate entries, which prevented multiple uploads of the same content. The developers implemented this to avoid detection and reduce suspicious network traffic. The background service worker then forwarded the stolen clipboard data to the servers that the attackers control.
The Firefox version also mirrors the process but uses a different way to do it. It completes the theft in its background script and polls every 1.5 seconds. This is likely due to their difference in architecture.
The two add-ons both connect to the same backend system and also use almost identical ways to get and send clipboard contents. Investigators located Firefox-specific configuration details, including the extension ID in the files of the Chrome version. This indicates that both extensions share a common code base or build process, so they likely have the same creator.
The malicious use of VPN infrastructure has drawn global attention.Ā Authorities recently shut down the ‘First VPN Service’ in an international operation targeting cybercrime links.
Why clipboard data is so valuable
The theft of clipboard data presents significant security risks as it contains sensitive details. Many individuals usually store information in their clipboard that could include their password manager, MFA codes (from an authenticator app), API keys for their cloud services, OAuth tokens for third-party integrations, cloud credentials, cryptocurrency wallet addresses, and recovery phrases for their digital wallets.
Once a malicious browser extension captures the data on your clipboard, an attacker could use it to cause serious security damage. They can gain access to your accounts and steal from you, or compromise your entire system.
The VPN Go extensions were sending all captured clipboard data back to the attackerās servers. This provides the attacker with a very valid, continuous stream of sensitive information about their victims.
The legitimate proxy functionality helped the extensions avoid suspicion. Users saw the VPN working correctly and assumed the software was safe. The extensive permissions required for proxy operation provided a convenient cover for the clipboard monitoring.
Socket researchers said that the extensions could retrieve store proxy credentials, proxy locations, and route browser traffic through remote servers. This legitimate functionality helped build trust and provided a convincing reason for the extensive browser permissions.
Protecting yourself, knowing what to do
Socket advises anyone using these extensions to uninstall them without delay. The firm has also reported both extensions to Google and Mozilla for review and removal.
Anyone who used these extensions should consider all sensitive information copied during that time as potentially compromised. This includes passwords, API keys, cloud credentials, OAuth tokens, cryptocurrency recovery material, and any other sensitive information copied while the extensions were installed.
Users should change passwords for any accounts they accessed while the extensions were active. They should also rotate API keys and generate new cryptocurrency wallet addresses if they copied those details. Another essential practice is monitoring accounts for suspicious activity.
The incident highlights the importance of installing only trusted browser extensions. Users should carefully review the permissions requested by any extension before installation. Extensions that request clipboard access or the ability to read data on all websites deserve extra scrutiny.