Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates
Malicious VPN extensions for Chrome and Firefox were updated to steal clipboard data.
Summary
Malicious browser extensions masquerading as free VPNs, branded 'VPN Go: Free VPN', have been updated to include clipboard-stealing capabilities. These extensions, available on the Chrome Web Store and Mozilla's Firefox Add-ons marketplace, exfiltrate copied data like passwords, API keys, and MFA codes to threat actor-controlled infrastructure. The malicious functionality was introduced through staged updates, with earlier versions acting as legitimate proxy tools before the addition of the clipboard stealer.
Full text
Research/Security NewsMiasma Mini Shai-Hulud Hits ImmobiliareLabs npm PackagesMiasma Mini Shai-Hulud hits @immobiliarelabs Backstage plugins, targeting GitLab and LDAP auth packages on npm.By Socket Research Team - Jun 26, 2026
Indicators of Compromise
- ip — 178.236.252.133
- ip — 77.91.123.187
- ip — 178.236.252.161
- url — hxxp://178.236.252.133/html/continue.php
- url — hxxp://77.91.123.187/html/continue.php
- url — hxxp://178.236.252.161/html/continue.php
- url — hxxp://178.236.252.133/locations
- url — hxxp://77.91.123.187/locations
- url — hxxp://178.236.252.161/locations
- hash_sha256 — 43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56
- hash_sha256 — b3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280c
- hash_sha256 — 72fc06a8b03720f4a64744eecd5b3f658ad880bdb327c0c465c7bdc66b14a8d2
- hash_sha256 — fbbdf4bc490ad7b28953630c1707aa68b89d319b9b735f3d8563320b81b21a97
- hash_sha256 — 2fe9c41901045013ba28ccb9af5870f9aef4f1ffd1e717cd5e0189ffdbe7fca2
- mitre_attack — T1115
- mitre_attack — T1059.007
- mitre_attack — T1071.001
- mitre_attack — T1041
- mitre_attack — T1036
- mitre_attack — T1176.001
- mitre_attack — T1027