🟠 High | Source: The Hacker News
A malicious browser extension posing as Google Notes is actively stealing cryptocurrency by silently replacing wallet addresses during transactions — a technique known as ‘clipping’. Distributed via unsigned installers in both .NET and Golang variants, the campaign (dubbed Silent Swap by McAfee Labs) targets users across multiple browsers. It is particularly dangerous because victims have no visible indication that their funds are being redirected until it is too late.
Security Architect’s Take: Enforce browser extension allowlisting policies across managed endpoints using tools such as Chrome Enterprise or Microsoft Intune, and block installation of unsigned or unverified extensions. Consider adding clipboard-monitoring detections to your EDR ruleset, and brief development and finance teams — who frequently handle crypto wallet addresses — on the risk of clipboard hijacking.
Original advisory: Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses