Google Chrome Extension Supply Chain Attack 2026

Google's Chrome Web Store experienced a supply chain attack affecting users of two extensions originally developed by BuildMelon (akshayanuonline@gmail.com). The extensions turned malicious after an ownership transfer, enabling attackers to push malware to downstream customers, inject arbitrary code, and harvest sensitive data from affected systems. The attack vector exploited the Chrome extension ecosystem's trust model, compromising users who had installed the legitimate extensions before the malicious update.

The attack chain began with the transfer of extension ownership to malicious actors, who then updated the extensions with malicious code. The compromised extensions gained capabilities for arbitrary code injection and data exfiltration, affecting all users who installed or updated the extensions. The attack demonstrates how supply chain compromises in browser extension marketplaces can bypass traditional security controls and affect large user populations through trusted distribution channels.

Google removed the malicious extensions from the Chrome Web Store following discovery, but users who had already installed the extensions remained vulnerable until manual removal. The incident highlights the security challenges in browser extension ecosystems where ownership transfers can introduce malicious actors into previously trusted software distribution chains.