Malicious malware that steals passwords from Google Chrome and can also take screenshots and use laptop cameras has been hidden since December 2020 in a widely used software repository, and it’s unclear how many applications and other programs may have become infected as a result of this “supply chain”.
The malware has been removed from the software repository, but the damage is already done. If you happened to run software that unbeknownst to the software developers contained this hidden malware, you may have been spied on and your passwords stolen. Unfortunately, we don’t yet know what was built using these corrupted components.
You may never really know if your passwords have been stolen or if your privacy has been compromised in this way. But the incident highlights the dangers of letting your web browser save passwords, because browsers are still too easy to crack.
Instead of saving passwords in your browser, use one of the best password managers, or just write your passwords down in a book or on a piece of paper and keep it in a safe place.
A twisted story of abused trust
According to a blog post posted yesterday (July 21) by Boston-area security firm Reversing Labs, the malware abuses a free and legitimate Windows password recovery tool called ChromePass which, like the The ChromePass page states, “Allows you to view usernames and passwords stored by the Google Chrome web browser.”
ChromePass itself is nice and useful, although it shows how easy it is to recover saved passwords from Chrome. (It’s also reported as malware by most of the top antivirus programs.)
So how did the malware get into the software repository? It’s complicated, but we’ll try to keep it short.
Many applications are truly web browsers
Hundreds of desktop apps, including Discord, Microsoft Teams, Slack, and Spotify, are built using web browser technology. (That doesn’t mean they’ve been infected.) These apps are sort of modified versions of Chromium, the open source browser used as the base for Chrome, Microsoft Edge, Opera, and other web browsers.
According to Reversing Labs, Bleeping Computer, and ThreatPost, these two packages were downloaded by software developers nearly 1,300 times and over 800 times, respectively.
But the result is this: don’t save your passwords, especially sensitive passwords that can unlock bank accounts, online messaging services, or social media accounts, in your web browser.
Use a password manager. And use one of the best Windows 10 antivirus programs to detect at least some of the malicious packages.