Free VPN Extensions on Chrome and Firefox Caught Stealing Clipboard Data, Researchers Warn

Free VPN Extensions on Chrome and Firefox Caught Stealing Clipboard Data, Researchers Warn

Security researchers have identified two browser extensions marketed as free VPN tools that covertly harvested users’ clipboard contents and transmitted the data to attacker-controlled servers.

Researchers at Socket's Threat Research Team uncovered the extensions — “VPN Go: Free VPN” for Google Chrome and “Free VPN by VPN GO” for Mozilla Firefox — after finding that later software updates had quietly introduced malicious code into what initially appeared to be functioning proxy tools.

Combined, the two extensions had nearly 3,700 users at the time of analysis, according to Socket.

What the Extensions Stole

The malicious code continuously monitored users’ clipboards — the temporary storage area where copied text sits before being pasted — and forwarded captured data to external servers.

That matters because people routinely copy passwords, one-time verification codes, cryptocurrency wallet addresses, seed phrases, API keys, and banking information rather than typing them manually.

Any extension with clipboard access can intercept all of it.

How the Attack Evolved

Socket found that the Chrome extension first appeared in December 2025 and initially behaved as advertised.

Developers did not add clipboard-stealing functionality until a late May 2026 update — meaning users who installed the extension months earlier had no reason to suspect it later turned malicious after an automatic background update.

The Firefox extension followed the same pattern, with earlier versions appearing clean before subsequent updates introduced the harmful code.

Both extensions publicly claimed they collected no user data, and their store listings and privacy policies explicitly promised privacy-focused browsing, according to Socket’s findings.

Removal Status

Socket reported both extensions to Google and Mozilla after publishing its findings.

Google removed “VPN Go: Free VPN” from the Chrome Web Store. Mozilla had not removed the Firefox version as of the time of reporting, and the extension’s user count had risen to 3,522 — up from the 3,499 users Socket recorded during its initial analysis.

What Affected Users Should Do

Anyone who installed either extension should remove it immediately.

They should also treat any sensitive data copied while the extension was active as potentially compromised — including passwords, recovery codes, cryptocurrency seed phrases, API tokens, and cloud credentials.

Security experts broadly recommend rotating any exposed passwords, regenerating API keys, and enabling multi-factor authentication — a security method requiring a second form of identity verification beyond a password — on important accounts.

Broader Risk of Free Extensions

The campaign illustrates a well-documented attack pattern in which developers publish a legitimate-looking tool, build a user base, then push a malicious update after winning trust.

Browser extension stores rely heavily on automated screening, which researchers have repeatedly found insufficient to catch post-publication code changes.

The Manifest V3 framework Google introduced for Chrome extensions aimed in part to restrict the kinds of permissions extensions can request, though researchers say determined actors continue to find ways around such controls.

Deepak Gupta

Deepak Gupta is a technologist who loves diving into software development, cybersecurity, and new tech. He aims to make complex topics easy to understand, sharing practical insights with fellow tech enthusiasts. Read more about me at LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked *