Browser Poaching

A newly discovered Chrome zero-day vulnerability (CVE-2025-6554) and an ongoing campaign involving 45 malicious Firefox extensions have placed both individual users and enterprises in the crosshairs. These threats exploit the very browsers we depend on daily, highlighting how entry points we trust most can become silent vectors of compromise.

Confusion and Theft

On the Chrome front, the zero-day stems from a high-severity type confusion bug in the V8 JavaScript engine. This bug enables threat actors to misinterpret memory objects, ultimately allowing them to execute arbitrary code on the target system. Attackers are actively exploiting this vulnerability in the wild via maliciously crafted websites containing JavaScript payloads. Once triggered, the exploit can grant full control over the system, opening the door to data theft, malware installation, or lateral movement within enterprise environments.

Meanwhile, Firefox users face a very different yet equally dangerous threat: rogue browser extensions. The campaign, dubbed “FoxyWallet” by researchers at Koi Security, involves 45 extensions impersonating legitimate cryptocurrency wallet add-ons such as MetaMask, Coinbase Wallet, Trust Wallet, Phantom, and Keplr. These fake add-ons were available via Mozilla’s official Add-ons store, passing as credible tools by using fake reviews and inflated ratings.

Once installed, these extensions silently steal sensitive data such as user credentials, wallet seed phrases, and private keys—allowing attackers to drain wallets, impersonate victims, or exfiltrate personal and financial data. Unlike drive-by download threats, these attacks rely on social engineering and user trust in browser marketplaces, adding a dangerous layer of credibility to the compromise.

Malicious Code and Rogue Extensions

The Google Chrome vulnerability (CVE-2025-6554) was discovered on June 25 by Google Threat Analysis Group (TAG) researcher Clément Lecigne and patched the following day. The vulnerability resides in Chrome’s V8 engine, responsible for processing JavaScript, and its exploitation allows malicious sites to run unauthorized code within the browser’s context or even escape the browser sandbox to compromise the operating system.

Although Google has yet to publish full technical details—common practice until a majority of users have updated—the application security firm Intrucept released insights into how the flaw enables arbitrary code execution through memory misinterpretation. This makes the flaw especially attractive to advanced persistent threat (APT) actors or criminal groups using tailored phishing lures to deliver payloads via compromised web pages.

Simultaneously, the rogue Firefox extensions continue to affect users. Seven of the 45 identified add-ons remain active at the time of writing. The attackers behind FoxyWallet have embedded code comments and metadata suggesting they are likely Russian-speaking. These extensions were submitted and approved through Mozilla’s review process, and their high ratings and positive reviews—largely faked—created an illusion of safety. Users downloaded them believing they were accessing secure wallet interfaces, when in fact they were handing over their most sensitive crypto data.

Importantly, these browser threats transcend personal harm. In enterprise environments, browsers are gateways to email systems, cloud platforms, customer management tools, and internal dashboards. Compromising a browser extension or exploiting a zero-day provides attackers with direct access to login sessions, credentials, and potentially sensitive files. A breached browser can silently leak sensitive company data while appearing to function normally.

Zero Trust, Everyone Must

To mitigate browser-related threats, a layered defense approach is essential—one that doesn’t rely solely on the user’s ability to spot the abnormal. Security teams, system administrators, and even casual users all have a role to play:

• For Chrome users: Update immediately to the latest secure version. The patched releases—138.0.7204.96/.97 for Windows and Mac, and 138.0.7204.96 for Linux—close the V8 engine vulnerability and stop ongoing exploitation campaigns.

• For Firefox users: Immediately remove all cryptocurrency wallet extensions, especially if they were added recently. Mozilla has been notified of the campaign, but affected extensions may remain active in some regions or under different names.

• For system administrators and CISOs:

  • Maintain a whitelist of authorized browser extensions.

  • Use browser security tools to block unvetted or high-risk add-ons.

  • Continuously monitor browser behavior for permission changes or unusual network connections.

  • Treat browser extensions as software—subject them to the same scanning and approval processes as any third-party application.

• For security operations teams:

  • Deploy behavioral-based EDR (Endpoint Detection and Response) tools that can detect browser privilege escalation, credential access, and sandbox escape attempts.

  • Set up alerts for known indicators of compromise (IOCs), such as the command-and-control (C2) infrastructure used by FoxyWallet extensions.

  • Audit browser extensions and update policies regularly to adapt to emerging campaigns.

  
  

The humble browser has become one of the most exploited client-side tools in the enterprise. These latest campaigns underscore the urgent need to rethink browser security as part of an organization’s core posture—not just an endpoint feature. Zero Trust must extend to every tab, every plugin, and every line of script we let into our networks.

https://www.darkreading.com/cyberattacks-data-breaches/browsers-targeted-chrome-zero-day-malicious-firefox-extensions