Attackers are sending fake Chrome Web Store copyright infringement notices to browser extension developers, using a phishing page at dmca-chrome-extensions[.]click that automatically displays the targeted developer’s real extension name, icon, and extension ID to make the fraud convincing. The goal is to steal the developer’s Google account credentials — and with them, publisher rights to push code updates to every user of the extension. Malwarebytes documented the active campaign this week.
How dmca-chrome-extensions[.]click Personalizes the Copyright Phishing Attack
The phishing infrastructure at dmca-chrome-extensions[.]click pulls real extension data from the public Chrome Web Store API: when a targeted developer opens the fake notice link, the page displays their own extension’s name, icon, and ID alongside a fabricated complaint number. The presentation matches what a legitimate Chrome Web Store enforcement notice would show, because the visible extension details are genuinely accurate.
The social engineering exploits a specific psychological state. Extension developers who receive copyright infringement notices are typically anxious and motivated to resolve the complaint quickly. The fake page amplifies that pressure with a countdown timer — creating the impression that inaction within the visible window will result in account consequences.
Real Extension Name, Icon, and ID Pulled from Chrome Web Store API Drive the Deception
The Chrome Web Store API is publicly accessible, meaning any attacker can query it to retrieve the name, icon URL, and extension ID for any published extension. The phishing campaign uses this data to generate personalized fake notices at scale: each targeted developer sees their own actual extension information rather than a generic placeholder.
This personalization is what separates the campaign from generic phishing. A developer who receives a notice showing their own extension’s real name and icon has far less reason to be skeptical than one who receives a templated generic warning. The data required to build that personalization is freely available to anyone who knows the extension ID, which is public.
Fabricated Complaint Number and Countdown Timer as Urgency Mechanisms Against Developers
The fake notice includes a manufactured complaint number that mimics the format of a real enforcement reference. Alongside the countdown timer, these elements are designed to suppress the instinct to verify independently — a developer focused on resolving a time-sensitive copyright issue before a deadline is less likely to navigate directly to the Chrome Web Store developer dashboard to check whether a real notice exists there.
The attack requires no browser exploit, no malicious download, and no software vulnerability. It relies entirely on making the developer enter their Google credentials into a form they believe is legitimate.
One Stolen Extension Developer Account Enables Malicious Code Pushed to Millions of Users
A compromised Chrome extension developer account grants the attacker publisher rights. With those rights, the attacker can push a code update to the published extension — an update that passes through the standard Chrome Web Store update mechanism and reaches every user who has the extension installed and automatic updates enabled. The users receive no separate consent prompt; the update arrives through the same channel as legitimate patches.
This is the supply chain risk that makes extension developer account takeover disproportionately dangerous relative to the number of accounts targeted. One developer credential converts into malicious code delivery to potentially millions of end users who trust the extension they have already installed.
How the 35-Extension Chrome Compromise Wave Proved Account Takeover Enables Supply Chain Attacks
A wave of Chrome extension compromises through account takeover in December 2024 resulted in more than 35 extensions being hijacked — including developer tools with large install bases. Attackers in that campaign gained publisher access through phishing and pushed malicious updates that exfiltrated browser data from affected users.
The current dmca-chrome-extensions[.]click campaign applies the same account-takeover model with a more sophisticated social engineering layer: the personalized fake DMCA notice, complete with real extension data, is a refinement over the methods used in the December 2024 wave. The precedent established that account takeover via phishing is an effective route to Chrome extension supply chain compromise, and this campaign demonstrates the technique being repeated with improved targeting.
Extension developers should verify any copyright infringement notice by navigating directly to the Chrome Web Store developer dashboard and checking the Policy Center there — never by following a link in an email or notification.
