Sophisticated Phishing Campaign Targets Chrome Extension Developers A new phishing campaign is actively targeting Chrome extension developers, impersonating official Chrome Web Store copyright enforcement notices to steal Google account credentials. The attack, discovered by Malwarebytes, aims to compromise widely used browser extensions by exploiting developer trust and urgency. The campaign begins with a highly personalized "copyright removal request," falsely claiming an extension faces takedown within 48 hours. Victims are directed to a fake "Chrome Web Store Developer Policy Center" hosted on attacker-controlled domains, such as dmca-chrome-extensions[.]click. The phishing page dynamically retrieves publicly available extension metadata including names, icons, and listing details to craft a convincing, tailored takedown notice. Fake elements like complaint numbers, submission dates, and a countdown timer heighten pressure, discouraging victims from verifying the claim through official channels. At the final stage, a realistic Google sign-in interface appears, complete with branding and a spoofed accounts.google.com URL. However, the window is embedded within the malicious page, and credentials entered are immediately captured. Key red flags include the inability to move the login window outside the browser and the persistent display of the phishing domain in the address bar. Compromised developer accounts pose severe risks. Attackers could inject malicious code into extensions, distribute trojanized updates, or access sensitive resources, potentially impacting millions of users. This campaign mirrors broader trends of targeting developer ecosystems, similar to past attacks on platforms like GitHub and YouTube. Google does not issue policy enforcement notices via third-party sites legitimate alerts appear only in the official Chrome Web Store developer dashboard. Security experts advise developers to verify alerts directly through official channels, scrutinize browser address bars, and use strong authentication methods like passkeys or hardware security keys. Suspected compromises should prompt immediate password resets, session revocations, and extension audits. The attack demonstrates advanced social engineering, combining real-time data harvesting with psychological manipulation to deceive even technically savvy users.