Compromised extension auto-update → fleet compromise

§ Context

Assumed environment: target extension has hundreds of thousands of installs, auto-update enabled (default). Maintainer hasn't enrolled in store-side 2FA, or has weak / reused credentials.

§ Steps

1. 01
   Auto-update fires across fleetInitial Access

   T1078— Valid Accounts
2. 02
   Mass cookie / cred harvestCredential Access

   T1539— Steal Web Session Cookie
3. 03
   Pick a popular extension with weak maintainerReconnaissance

   W-RECON-GITHUB-DORK— GitHub / GitLab Dorking
4. 04
   Maintainer account takeoverInitial Access

   SUP-PACKAGE-TAKEOVER— Package Maintainer Takeover
5. 05
   Push malicious updatePersistence

   BX-EXT-UPDATE-TAKEOVER— Extension Update Channel Takeover

§ References

• T1078Valid Accounts
• T1539Steal Web Session Cookie

§ Frequently asked

What is the "Compromised extension auto-update → fleet compromise" attack path?

Take over a popular extension's developer account (credential stuffing on the store, abandoned email domain). Push a malicious version — every existing install runs attacker code on next launch. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Auto-update fires across fleet (T1078) — a initial access primitive. Assumed environment: target extension has hundreds of thousands of installs, auto-update enabled (default).

What is the final impact of this kill-chain?

The final step lands on Push malicious update (BX-EXT-UPDATE-TAKEOVER), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  5G core GTP-U user-plane injection → subscriber MITM

  Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

  Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.

• Shared techniques2

  Build-system implant → signed supply-chain backdoor (SolarWinds-class)

  Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.

• Shared techniques2

  Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

  Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.