Browser Threat Alert: Malicious Chrome Extensions, ClickFix & Web Attacks

A significant threat involving 131 malicious Chrome extensions hijacking WhatsApp Web for a massive spam campaign has emerged, underscoring the ongoing risks from browser add-ons. Concurrently, sophisticated copy/paste attacks, dubbed 'ClickFix,' are evolving, manipulating clipboard data to facilitate fraud and data breaches. Users are also advised to be aware of advanced web-based threats like 'Pixnapping' and 'EtherHiding,' which leverage browser vulnerabilities for deceptive and covert malicious activities. Regular browser and extension updates are critical to mitigate these evolving attack vectors.

Massive Chrome Extension Campaign Hijacks WhatsApp Web

Campaign Overview

• Threat: Malicious Chrome Extensions
• Number of Extensions: 131 identified
• Target: WhatsApp Web users
• Exploitation Method: Hijacking WhatsApp Web functionality
• Campaign Objective: Massive spam distribution and propagation

Technical Details

Security researchers have uncovered a widespread campaign involving 131 malicious Chrome extensions designed to compromise WhatsApp Web sessions. Once installed, these extensions gain unauthorized access to a user's WhatsApp Web interface, enabling threat actors to perform a variety of malicious actions. This includes automatically replying to messages, initiating new conversations with contacts, and spreading further spam messages, effectively turning the victim's account into a bot for the spam campaign. The sheer volume of malicious extensions highlights a concerning trend where legitimate functionalities of browser add-ons are abused to propagate threats at scale.

Mitigation

Users should immediately review their installed Chrome extensions, removing any unfamiliar or suspicious ones, especially those requesting broad permissions. It is crucial to download extensions only from trusted sources and to scrutinize permission requests. Regularly updating Chrome and exercising caution with third-party extensions are vital steps in preventing such compromises.

Evolving Copy/Paste Attacks: The Rise of 'ClickFix'

Overview

A new term, 'ClickFix,' is gaining traction in the security community to describe sophisticated copy/paste attacks that are driving security breaches. These attacks leverage the clipboard functionality inherent in browsers and operating systems to manipulate data, often leading to unintended user actions or financial loss. This technique exploits the user's expectation that copied content will be identical to pasted content.

Attack Vector & Techniques

'ClickFix' attacks typically work by replacing legitimate clipboard content with malicious data the moment a user copies information. For example, a user might copy a cryptocurrency wallet address, only for the malicious script to swiftly swap it with the attacker's wallet address before it's pasted. Similar techniques can be used to inject malicious commands into a command-line interface, modify code snippets, or alter critical configuration settings when copied from a compromised website or document. These attacks are particularly effective because they exploit a fundamental and trusted user interaction, making them hard to detect without careful verification.

Implications

The implications of 'ClickFix' attacks are broad, ranging from financial fraud and cryptocurrency theft to remote code execution and data exfiltration. As users frequently rely on copy/paste for speed and convenience, the potential for widespread impact is significant. Organizations and individuals must raise awareness about this vector and consider tools or practices that verify pasted content, especially for sensitive operations.

Emerging Browser-Based Exploits: Pixnapping & EtherHiding

Overview

The latest weekly threat intelligence recap highlights advanced browser-based attack techniques known as 'Pixnapping' and 'EtherHiding.' These methods represent evolving ways attackers are leveraging browsers to deceive users and execute covert malicious activities.

Key Findings / Implementation Details

• Pixnapping Attacks: These involve sophisticated manipulation of visual elements within a browser. Attackers use techniques like CSS injection, JavaScript manipulation, or overlaying fake elements to alter what a user sees on a legitimate webpage. This can lead to highly convincing phishing scams, unauthorized transactions, or tricking users into revealing sensitive information by interacting with what appears to be a trusted interface.
• EtherHiding: This technique focuses on concealing malicious code within seemingly benign web resources. Attackers embed JavaScript or other executable code within CSS files, SVG images, or other non-executable file types that are loaded by the browser. Once loaded, the hidden code is then extracted and executed, often to deploy cryptocurrency miners, serve malicious advertisements, or redirect users to phishing sites. This obfuscation makes detection by traditional security tools challenging.

Implications

These advanced techniques underscore the need for robust browser security defenses, including content security policies (CSPs), strict script execution controls, and advanced behavioral analysis. Users should remain vigilant, verify the authenticity of websites, and avoid interacting with suspicious pop-ups or visual anomalies, as 'Pixnapping' and 'EtherHiding' can turn seemingly safe browsing into a significant security risk.

Browser Security Updates & CISA KEV Additions

Overview

October's Patch Tuesday brought a deluge of security updates, and CISA continues to update its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the constant need for vigilance and timely patching across all software, including web browsers.

Microsoft Patch Tuesday Insights

Microsoft's October 2025 Patch Tuesday addressed a total of 172 CVEs, including two publicly disclosed vulnerabilities, three zero-days under active exploitation, and eight critical vulnerabilities. While the specific browser-related CVEs are not individually highlighted in the summary, Microsoft's monthly updates frequently include patches for its Edge browser, addressing issues in the Chromium-based engine, rendering components, and JavaScript engines. Users of Microsoft Edge, as well as other Chromium-based browsers like Google Chrome, Brave, and Opera, should ensure their browsers are updated to the latest stable versions to receive critical security fixes.

CISA KEV Catalog Updates

CISA has also continued to add new exploited bugs to its Known Exploited Vulnerabilities (KEV) Catalog, with recent additions pertaining to Microsoft, Apple, and Oracle. While specific browser vulnerabilities are not detailed in the general alert, updates from Apple (affecting Safari/WebKit) and Microsoft (affecting Edge) are routinely included in such critical vulnerability lists. Organizations are strongly advised to consult the CISA KEV catalog regularly and prioritize patching for all listed vulnerabilities, as they represent flaws actively being exploited by threat actors.

Actionable Advice

Given the continuous stream of vulnerabilities and active exploitation, maintaining updated browsers and operating systems is paramount. Enable automatic updates for all browsers and ensure browser extensions are scrutinized and kept to a minimum, sourced only from official stores.

References

1. 131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign - The Hacker News
2. Analysing ClickFix: 3 Reasons Why Copy/Paste Attacks Are Driving Security Breaches - The Hacker News
3. ⚡ Weekly Recap: F5 Breached, Linux Rootkits, Pixnapping Attack, EtherHiding & More - The Hacker News
4. October 2025 Patch Tuesday: Two Publicly Disclosed, Three Zero-Days, and Eight Critical Vulnerabilities Among 172 CVEs - CrowdStrike
5. Five New Exploited Bugs Land in CISA's Catalog — Oracle and Microsoft Among Targets - The Hacker News
6. CISA Adds Microsoft, Apple and Oracle Vulnerabilities to KEV Catalog - The Cyber Express