Nasty malware that steals passwords from Google Chrome and can also take screenshots and use laptop cameras has been hidden since December 2020 in a widely used software repository, and there's no telling how many applications and other programs may have been infected as a result of this "supply chain" attack.
The malware has been removed from the software repository, but the damage is already done. If you happened to run software that, unknown to the software developers, contained this hidden malware, you may have been spied on and your passwords stolen. Unfortunately, we don't yet know what was built using these corrupted components.
- New Windows 11 and 10 flaw lets anyone take over your PC — what to do
- The best internet security suites
- Plus: How to do a clean install of Windows 11
You may never truly know if your passwords were stolen or your privacy was compromised in this way. But the incident highlights the dangers of letting your web browser save passwords, because browsers are still too easy to break into.
Instead of saving passwords in your browser, use one of the best password managers, or just write your passwords down in a book or on a piece of paper and keep it someplace safe.
A twisted tale of abused trust
According to a blog post (opens in new tab) yesterday (July 21) from Boston-area security firm Reversing Labs, the malware abuses a legitimate free Windows password-recovery tool called ChromePass (opens in new tab) that, as the ChromePass page states, "allows you to view the user names and passwords stored by Google Chrome Web browser."
ChromePass itself is fine and useful, though it does show how easy it is to grab saved passwords from Chrome. (It's also flagged as malware by many of the best antivirus programs.)
So how did the malware get into the software repository? That's complicated, but we'll try to make it short.
Many applications are really web browsers
Hundreds of desktop applications, including Discord, Microsoft Teams, Slack and Spotify, are built using web-browser technology. (This doesn't mean they were infected.) These apps are in a way modified versions of Chromium, the open-source browser used as the basis for Chrome, Microsoft Edge, Opera and other web browsers.
According to Reversing Labs, Bleeping Computer (opens in new tab) and ThreatPost (opens in new tab), those two packages have been downloaded by software developers nearly 1,300 times and more than 800 times, respectively.
But the upshot is: Don't save your passwords, especially not sensitive passwords that can unlock bank accounts, online email services or social-media accounts, in your web browser.
Use a password manager. And use one of the best Windows 10 antivirus programs to catch at least some of the malicious packages.