divmagic Make design
SimpleNowLiveFunMatterSimple
Stealth Extension Malware: Wie Angreifer sich in Bildern und Schriftarten versteckten (Und was Entwickler jetzt tun müssen)
BlogsBrowser-ErweiterungssicherheitStealth Extension Malware: Wie Angreifer sich in Bildern und Schriftarten versteckten (Und was Entwickler jetzt tun müssen)
Browser-Erweiterungssicherheit

Stealth Extension Malware: Wie Angreifer sich in Bildern und Schriftarten versteckten (Und was Entwickler jetzt tun müssen)

Stealth Extension Malware: How Attackers Hid Malware in Images & Fonts (And What Developers Must Do Now)In a move that sent shockwaves through the browser extension ecosystem, Microsoft recently took down over 100 malicious Edge extensions that had been quietly infecting users since early 2025. The kicker? These weren't your run-of-the-mill skimmers or ad injectors. The attackers used a sophisticated technique: hiding malware payloads inside innocent-looking images and font files. For frontend developers who rely on extensions daily, and especially for those who build them, this is a wake-up call.This article breaks down the technical anatomy of the attack, why image and font steganography is such a potent vector, and, most importantly, what you can do to protect your workflow and your users. We'll also explore how tools like DivMagic can help you avoid the pitfalls of untrusted extensions by letting you copy UI components directly from any website without installing risky add-ons.The JavaScript engine powering the Edge extension had a core part that could read binary data from fetched assets. The attackers used the fetch() API to load an image, then used ArrayBuffer and Uint8Array to extract the hidden bytes. A snippet of the malicious pattern looked something like this:fetch(chrome.runtime.getURL('fonts/icon.woff')) .then(response => response.arrayBuffer()) .then(buffer => const hiddenCode = extractFromFont(buffer, offset, length); eval(hiddenCode); // dangerous! );This is a classic example of a supply chain attack, the extension itself was the Trojan horse.Why Images and Fonts? The Perfect CoverFor frontend developers, images and fonts are the bread and butter of UI. We load them from CDNs, embed them as base64, and bundle them with webpack. They're ubiquitous and trusted. Attackers exploited this trust:Low entropy suspicion – Images and fonts naturally contain high entropy (random-looking data), so extra hidden bytes don't trigger red flags.No standard scanning – Most security tools don't inspect the internal byte structure of font files or check the least significant bits of every pixel.Cross-platform compatibility – A manipulated PNG still renders in any browser; a corrupted font table still works on Windows, macOS, and Linux.The campaign targeted Brazilian users specifically, but the technique is universally applicable. Security teams at Kaspersky noted that the extension achieved a 99.99% threat detection bypass rate against some scanners.Detecting and Preventing Stealth ExtensionsSo what can you do? Here's a practical checklist for developers and organizations.For Developers (Personal Workstation)Audit your extensions – Go through every installed extension and ask: "Do I still need this? Does it need those permissions?"Check source code – For open-source extensions, review the GitHub repo. Look for suspicious eval(), fetch() of internal assets, or ArrayBuffer manipulation.Use DivMagic to reduce extension count – Instead of installing multiple UI-related extensions, use DivMagic to copy any component from any website directly. One tool replaces a dozen.For Teams (CI/CD Pipeline)Add extension scanning – Use tools like chrome-webstore-api to programmatically check the extensions used by your team.Block suspicious extensions – Use group policy or MDM to whitelist only approved extensions.Monitor network traffic – Malicious extensions often phone home. Use a proxy or firewall to detect unusual outbound connections from the browser.For Extension DevelopersValidate all assets – Implement checksum verification for your bundled images and fonts. Compare against known good hashes at build time.Use Content Security Policy (CSP) – Restrict script execution and disallow eval(). CSP can block many steganographic payloads.Scan with OSS tools – Use stegdetect or custom scripts that check for anomalous entropy in font tables.Comparing Security ApproachesLet's compare a traditional multi-extension workflow vs. a consolidated approach using DivMagic:

computer, electronic, hardware, technology, digital, design, calliope, led

pc, computer, mac, screen, desktop computer, business, web, internet, equipment, technology, work, art, artist, home office, office, keyboard, mouse, to write, to study, studies, digital, workplace, organization, imac, concept, computer, computer, computer, mac, mac, business, business, business, web, web, web, web, internet, technology, artist, office, office, office, office, office, keyboard, keyboard, mouse, digital, organization, organization, organization

laptop, wordpress, wordpress design, smartphone, work station, notebook, coffee, computer, website, mobile, business, phone, brown business, brown computer, brown coffee, brown laptop, brown work, brown phone, brown mobile, brown website, brown design, brown company, brown smartphone, brown telephone, laptop, wordpress, website, website, website, website, website

Beginnen Sie noch heute mit der Erstellung mit DivMagic

Schließen Sie sich über 10.000 Entwicklern, Designern und Geschäftsinhabern an, um Code von jeder Website zu kopieren und ihn in ihren eigenen Projekten zu verwenden.

Get DivMagic for 42% off

Limited time deal for 22:45