Do you sometimes feel stuck in a Catch-22 regarding your long-term credential management strategy?

You are.

On the one hand, if the tech industry has its way -- to abolish allpasswords and replace them with passkeys -- users will eventually have almost no choice but to rely on password managers for signing in to their favorite sites and apps. Yes, the days of committing user IDs and passwords to memory or cryptically scratching your passwords into an old day planner are numbered.

On the other hand, malicious actors are the lions at our gate. All the password management solution providers spoke with acknowledge that they're under constant attack by hackers trying to access the proverbial keys to the kingdom and the riches they protect. 

Also: 10 passkey survival tips: Prepare for your passwordless future now

"Password managers are high-value targets and face constant attacks across multiple surfaces, including cloud infrastructure, client devices, and browser extensions," said NordPass PR manager Gintautas Degutis. "Attack vectors range from credential stuffing and phishing to malware-based exfiltration and supply chain risks."

Googling the phrase "password manager hacked" yields a distressingly long list of incursions. Fortunately, in most of those cases, passwords and other sensitive information were sufficiently encrypted to limit the damage.

Earlier this year, Picus Security published research indicating that hackers are redoubling their efforts to break into password managers. According to a release from the firm, "25% of malware [now] targets credentials in password stores -- a 3X increase from 2023." 

Picus Security co-founder Suleyman ?zarslan noted that "threat actors are leveraging sophisticated extraction methods, including memory scraping, registry harvesting, and compromising local and cloud-based password stores, to obtain credentials that give attackers the keys to the kingdom." Threat actors are leaving no stone unturned in hopes of breaking into your password manager. 

A new and terrifying threat

One of the most recent and terrifying threats to make headlines came from SquareX, a company selling solutions that focus on the real-time detection and mitigation of browser-based web attacks. SquareX spends a great deal of its time obsessing over the degree to which browser extension architectures represent a potential vector of attack for hackers. 

Also: I found a malicious Chrome extension on my system - here's how and what I did next

Browser extensions are those small(ish) applications that many of us plug into Chrome, Firefox, Edge, and other browsers to enhance our web experiences. From one browser to the next, there's an underlying architecture that serves as the enabling foundation for such browser extensions to run (in much the same way our smartphone and computer operating systems enable the apps we install on them to run). 

In the course of trying to discover certain browser extension vulnerabilities before malicious actors do, SquareX announced in February that it found a sneaky way for a malicious Chrome extension to impersonate 1Password's password management extension. Although the announcement sounds like bad news for Chrome and 1Password users, it's actually much worse. The discovery is relevant toall password managers on Chrome, and it's relevant toallextensions onallpopular browsers. 

SquareX didn't single out Chrome or 1Password because it found them to be inherently more vulnerable than other browsers or password managers -- or other extensions for that matter. "We picked Chrome as it's the most used browser both within enterprise and in the B2C space," said SquareX founder Vivek Ramachandran in an interview with . 

Also: Hackers stole this engineer's 1Password database. Could it happen to you?

Ramachandran emphasized that most extensions, regardless of the browsers they run on, have similar security issues. For example, Firefox and Chromium-based browsers such as Chrome and Edge have the same issues due primarily to how technologies like JavaScript and WebAssembly work. 

So, what exactly did SquareX discover? And what measures can you take to prevent your password manager and other extensions from being exploited?

Here's the first thing to know about the exploit, which SquareX refers to as a "polymorphic extension": 

How impostor extensions do their dirty work

It tricks users into working with an impostor extension.

A polymorphic extension is a browser extension that lures you to install it with one advertised benefit, but then morphs into a different extension that convincingly portrays itself as one of the legitimate extensions you've already installed (e.g., your password manager). From a social engineering perspective, it bears a strong resemblance to phishing and smishing. In one of two initial forms that the attack can take, it evades detection by temporarily disabling the legitimate extension without uninstalling it. 

Also: I clicked on four sneaky online scams on purpose - to show you how they work

On first blush, the idea that one browser extension could be so disruptive to another extension sounds like the type of software boundary violation any reasonable browser should block as a part of its security architecture. Take Chrome: When a browser extension is first added to the Chrome Web Store, the developer must declare a manifest of permissions that end-users are warned about before that extension can be installed. 

For example, according to Google's list of permissions that developers can include in their manifests, if a developer declares that an extension needs access to Chrome's notifications API, the text "Display notifications" will automatically be included in the preinstallation warning seen by users, as shown in the screenshot below:

According to Ramachandran, the list of permissions is too complicated for regular users to make an informed decision, thus increasing the likelihood that a threat actor might get approval for an all-seeing, all-knowing browser "superpower." 

Several of the permissions that qualify as superpower permissions are ones that most Chrome extensions, including password managers, shouldn't be asking for. One of those -- the permission for Chrome's chrome.management API (with Firefox, it's the browser management API) -- is the permission that affords one extension the right to manipulate other extensions. 

Also: How AI will transform cybersecurity in 2025 - and supercharge cybercrime

An extension could ask for this permission when it's first installed, or during a subsequent update. Either way, when the developer manifest includes the chrome.management API, the user is presented with the text "Manage your apps, extensions, and themes" as shown in the screenshot above.

But there's no red-flag warning that indicates you're about to enable the extension's developer with a dangerous superpower. 

"It might feel like getting permission for the chrome.management API is a tall order, and that an extension that asks for it might require some heavy vetting by Google," Ramachandran told . "But this is not the case. Developers can ask for this permission in the manifest when uploading their extensions to the Chrome Store. So, security in this case depends entirely on the user knowing that this is a problematic superpower permission."

Once the developer of an extension has access to the chrome.management API, not only can they morph their own extension into something else, they can disable other ones and unpin them from the browser's toolbar without detection by the user. In fact, access to the chrome.management API also gives hackers the ability to fully uninstall other extensions. 

Also: 5 browser extension rules to live by to keep your system safe

However, according to the chrome.management API documentation, if one extension uninstalls another extension, the user is notified with a pop-up dialog that can't be overridden. Such a dialog would essentially tip off the user to the fact that something's amiss. That's one reason why, in the polymorphic extension attack, the malware extension stealthily falls short of completely uninstalling the legitimate extension it aims to temporarily take the place of.

Instead [as shown in the sequence of screenshots below], to complete the ruse, a polymorphic extension replaces the legitimate extension's icon (where it was pinned in the browser's toolbar) with a doppleganger that, if clicked, activates the polymorphic extension. The first screenshot shows the two extensions pinned to Chrome's toolbar. Circled in blue is the icon for the legitimate 1Password extension. Circled in red is the icon for the malicious extension that the user downloaded and pinned under the pretense that it delivered some other useful value. 

Once the malicious extension detects that the user is about to log into a website (which only requires the ability to examine the contents of the current web page), it uses the chrome.management API to disable the legitimate extension and unpin its icon from Chrome's toolbar, as shown below. 

Then, as shown below, the malicious extension changes its own icon to look like the one that belongs to 1Password.

By this point, the polymorphic extension will have morphed into an extension that looks and feels like the legitimate extension (reminiscent of how phishing websites impersonate legitimate sites). From there, the malicious extension prompts the unsuspecting user for the credentials to their 1Password account (remember, it could beanypassword manager) and phones home to the hacker with the newly exfiltrated information.

Then, to clean up after itself, it re-enables the legitimate extension, restores the pinned icons to their original state, and even completes the sign-in process with whatever website the user was authenticating with.  

In case the polymorphic extension is unable to garner the user's permission for access to the chrome.management superpower, Ramachandran says there's a contingency plan where it can just as easily pop up a browser window that looks and feels a lot like one of your legitimate extensions.

Also: How to protect yourself from phishing attacks in Chrome and Firefox

"All the attacker would have to do is inject code into the page, which creates a pop-up resembling the UI of the password manager extension," said Ramhachandran. "It would take a sophisticated user to realize this is not being served by the real extension."

Injecting code into the current web page is another behavior that, on first blush, sounds like a privilege no extension should have. But as it turns out, pretty much all extensions -- especially password managers -- need permission to read and write to the active browser tab in order to do what they do. 

At the moment a website is asking for a user ID and password, a password manager has to read the page to find the user ID and password fields, and then must autofill those fields with the proper credentials in order to complete the login process. When an extension needs these permissions -- as LastPass and other password managers do -- the preinstallation warning will note that the extension can "read and change all your data on all websites," as shown in the partial screenshot below.

Is the polymorphic extension threat real or no big deal?

First, it's important to realize that security companies like SquareX have to imagine and then animate certain attacks in order to drive demand for their solutions. If SquareX can demonstrate the plausibility of various attacks that haven't happened yet and prove that its solutions can defend against those attacks, it shouldn't be difficult to get some IT professionals to invest in its solutions. 

In this case, SquareX has imagined a scenario that, for individual users, is largely predicated on a combination of ill-advised mistakes. For example, the attack is only possible after a user is duped into installing malware -- or maybe it should be called morphware.

Also: How AI agents help hackers steal your confidential data - and what to do about it

Despite efforts by Google to keep the Chrome Web Store free of malware, LastPass Cyber Threat Intelligence Analyst Stephanie Schneider told that "a 2023 study found that extensions containing malware were available on the Chrome Web Store for an average of 380 days. In one case, an extension remained available from December 2013 until it was removed in June 2022." However, Schneider added, "Despite these reported instances, Google stated in 2024 that less than 1% of all installs from the Chrome Web Store were found to include malware." 

What are the implications for consumers versus businesses? 

When it comes to individual users, the more convincing version of the attack -- the one that looks and feels like the legitimate extension -- requires the user to give the imposter extension the equivalent of superuser privileges. While we cannot completely rule out Ramachandran's contingency scenario involving a standard browser pop-up as an alternative vector for this attack, in our opinion, it is more likely to draw the user's suspicion that something's amiss. Either way, given the surprising extent to which end-users continue to be socially engineered by phishers and smishers, either scenario is plausible. 

For businesses and enterprises, the attack is predicated on one of two possible scenarios. In the first scenario, users are left to make their own decisions about what extensions are loaded onto their systems. In this case, they are putting the entire enterprise at risk. In the second scenario, someone in an IT role with the responsibility of managing the organization's approved browser and extension configurations has to be asleep at the wheel. The entire point of centrally managing an organization's systems is to make sure unauthorized and unvetted software doesn't somehow find its way onto the corporate network. 

6 reasons why this threat is a big deal

The internet is full of false alarms about security vulnerabilities that are made to sound like they need your immediate attention when they don't. But, this is a case where:

1. The transition from passwords to passkeys will result in most of us using a password manager, whether we want to or not.

2. Threat actors are hell bent on breaking into your password manager.

3. An overwhelming majority of password manager users will install their password manager's browser extension.

4. Most end-users have weak moments when they click on otherwise suspicious links or download malicious software.

5. The choice of operating system (Windows versus Mac) is irrelevant. Browsers are like virtual machines to the extent that they include their own Javascript and WebAssembly execution platforms. 

6. The password manager solution providers that spoke to all agree that, although the polymorphic extension attack presented by SquareX is currently a hypothetical attack (no known instances in the wild have been reported), it poses a legitimate threat to their browser extensions.

In other words, this is an attack -- not necessarily a vulnerability -- that merits additional attention and vigilance on behalf of end-users and businesses. As such, here's our advice on how to best defend yourself.

How to defend yourself against a malicious extension

1. Only install extensions from the Chrome Web Store from trusted publishers

Browser extensions are essentially the downloadable EXEs (executable files) of the browser world. "Just like you would not download and run EXEs which are untrusted or from random sources, the same level of discretion needs to be applied to browser extensions," said SquareX's Ramachandran."Only install extensions from the Chrome Web Store and make sure they are extensions from trusted publishers. You can find this out by looking at the developer email address domain." 

NordPass' Degutis suggested taking things a step further: "Googling a developer or the extension itself is actually a very safety-conscious idea." 

Also: How Malwarebytes' security tools can help companies stop online scams before it's too late

Another good source of extension information is the Chrome Web Store's comments section, said Ramachandran. "Extensions with a history of bad behavior generally are reported. Especially be careful of extensions which advertise access to professional versions of other third-party sites (e.g., AI extensions which advertise access to the latest professional edition of ChatGPT)."  

2. Learn why certain permissions are requested

Educate yourself on the types of permissions that might convey browser superpowers to an extension that doesn't need them. LastPass's Schneider said, "Unsurprisingly, suspicious extensions generally ask for more permissions than harmless ones. Only use extensions from reputable sources that explicitly state why certain high-level permissions are required."

It's impossible to draw a line in the sand between permissions that are universally innocuous and permissions that could pose a threat. For example, the "Read and change all your data on all websites" permission is required for a password manager extension to work, but not necessarily required for other extensions. We think reputable sources should explicitly state the reasons for every requested permission. After all, why not?

3. Look for typos

Study the descriptions of extensions carefully and look for typos before downloading them. Threat actors are notoriously bad spellers. In some cases, a keyword might be misspelled in order to evade machine detection. For example, "Before downloading some extension, make sure that the developer is actually "OpenAI" not "OqenAI," advised Degutis. 

4. Use multifactor authentication

Leverage multifactor authentication, advises 1Password's CTO Pedro Canahuati. This advice, particularly when it comes to authenticating with your password manager, cannot be overstated.

Also: Why multi-factor authentication is absolutely essential in 2025

In SquareX's hypothetical scenario, the malicious extension uses a dialog that looks and feels like 1Password's extension to prompt the user for their 1Password user ID and password. However, if your password manager (or any other extension) can be configured to authenticate with a passkey (as it should be), there should be a way to avoid entering your password for your password manager intoanyextension (the password manager's legitimate extension or that of a malicious polymorphic imposter's).

Shown below is an example of how Bitwarden's Chrome extension for its namesake password manager gives users the option of a passkey-driven login that's completed with the assistance of another device (e.g., a smartphone) that itself is logged into the user's Bitwarden account. If a malicious polymorphic extension presented a facsimile of this dialog and the user picked "Log in with device," the entire workflow would come to a screeching halt because the threat actor has no way to move the user to the workflow's next step. (At that point, the user should recognize they might be dealing with an illegitimate extension.) 

However, in terms of additional factors of authentication, users should be cautious about having one-time passcodes (OTPs) sent to an email inbox that's open in one of their browser tabs. An extension with the common permission to "Read and change all your data on all websites" could theoretically intercept an OTP that appears on that tab.    

5. Review your installed extensions periodically

NordPass' Degutis also suggests periodic reviews of your installed extensions: "Check your installed extensions at chrome://extensions/ and remove any you don't recognize or no longer use." At the very least, review their permissions to see if they still align with your sense of the extension's functionality and the permissions necessary to enable that functionality.

6. Study the behavior of installed extensions   

Better familiarize yourself with their user interfaces, which could help you to better recognize when an extension -- or an impostor -- is doing something unexpected.  

7. Opt in to your browser's enhanced safe-browsing feature 

When standard safe-browsing is selected, Chrome "protects against sites, downloads, and extensions that are known to be dangerous." Under standard protection, you may get a warning about one of your installed extensions if Google learns of its malicious nature some days, weeks, or months after you installed it. 

However, Chrome's enhanced safe browsing, as shown in the partial screenshot below, "sends the URLs of sites you visit and a small sample of page content, downloads, extension activity, and system information" to Google's AI-powered security services. It's hard to know exactly what Google means by "extension activity." (Google has not yet responded to 's questions about polymorphic extensions.) 

Also: That weird CAPTCHA could be a malware trap - here's how to protect yourself

But NordPass's Degutis told that "in this mode, Google AI is scanning websites and downloads (including extensions) against known and emerging threats." Conceivably, now that Google is aware of the polymorphic extension threat, its security models have been trained t...