extension

SlowMist has issued a security warning stating that a high-risk phishing activity targeting TRON wallet users has been discovered. Attackers created a fake Chrome extension for the TronLink wallet, using Unicode bidirectional control characters and Cyrillic homographs to disguise the brand name. After installation, the extension loads a complete phishing page through a remote iframe, forming a "shell-core separation" credential theft chain.The malicious extension name uses homographs for disguise, and its Chrome Store page inherits the high user count and positive reviews of the real extension, lowering the review threshold. There is very little local code, only loading remote pages, making static analysis nearly impossible to detect malicious behavior. The remote phishing page perfectly replicates the official TronLink web wallet interface, stealing mnemonic phrases, private keys, Keystore files, and passwords, and relaying them in real-time via a Telegram Bot.Built-in anti-analysis features disable right-click, developer tools, drag-and-drop, and printing, and redirect based on the geographic and language settings of Russian users to evade detection. SlowMist recommends immediately uninstalling suspicious extensions, clearing local storage, checking for abnormal traffic, and if credentials have been entered, creating a new wallet and transferring assets immediately.

According to the security agency Blockaid (@blockaid_), the Ekubo Protocol is currently experiencing ongoing attacks on a v2 custom extension contract on Ethereum, resulting in a loss of approximately $1.4 million.The root cause of the attack lies in the fact that the IPayer.pay callback of this extension does not effectively restrict the source of the parameters, allowing attackers to control the payer, token, and amount parameters, thereby arbitrarily transferring authorized tokens. Users of the core Ekubo protocol are not affected, but users who have authorized this v2 contract as a token spender face direct risks. Blockaid recommends that relevant users immediately revoke their authorization.

According to CNBC, the crypto data and research platform Blockworks announced the completion of its Series A extension financing, with a post-money valuation of $192 million. This round was co-led by Parafi Capital and Reciprocal Ventures, with participation from several institutions including Coinbase Ventures, Advancit Capital, and MoonPay. Over 20 founders and operators from projects such as Solana, LayerZero, Pyth, EigenLayer, Kraken, Arbitrum, and Polygon also participated personally, though the specific financing amount has not been disclosed.The company stated that the crypto market has grown to a trillion-dollar scale without the infrastructure of traditional capital markets, but still faces issues such as data fragmentation, inconsistent disclosures, and a lack of communication mechanisms for investors. Blockworks aims to fill this gap through a "data + disclosure + investor relations" integrated framework.

According to PR Newswire, fintech company Superstate announced the completion of a Series B funding round, with asset management giant Invesco Private Capital, a subsidiary of Invesco, as a new investor, although the amount has not been disclosed.At the same time, Invesco will serve as the investment manager for Superstate's flagship tokenized fund USTB (Short-Term U.S. Treasury Fund) starting in Q2 2026. The fund has a size of approximately $900 million, making it one of the largest tokenized government bond products globally. After the handover, the fund will be renamed, while Superstate will retain the function of digital transfer agency. This move marks Invesco's full entry into the blockchain fund sector.

According to GoPlus citing a Koi report, the Claude Chrome extension under Anthropic has a high-risk prompt injection vulnerability, affecting all versions of the extension below 1.41.Attackers can construct malicious web pages that silently load an iframe containing a cross-site scripting (XSS) vulnerability in the background, executing malicious payloads within the a-cdn.claude.ai subdomain. Since this subdomain is on the extension's trust whitelist, attackers can directly send malicious prompts to the Claude extension and execute them automatically, without requiring user authorization or any clicks, leaving the victim unaware.This vulnerability can allow attackers to manipulate the Claude extension to read users' Google Drive documents, steal business access tokens, or export chat logs, and can take over the current browser session to perform sensitive operations like sending emails as the victim. GoPlus recommends that users immediately update the Claude extension to version 1.41 or above and remain vigilant against phishing links.

The Chief Information Security Officer of Slow Fog Technology, 23pds, issued a reminder to be wary of fake imToken Chrome extensions. A fake imToken Chrome extension in the Chrome Web Store is phishing for seed phrases and private keys.

The cybersecurity agency Moonlock Lab reports that crypto hackers have recently upgraded their "ClickFix" attack method, beginning to impersonate venture capital firms to contact target users through social platforms and lure them into executing malicious code to steal crypto assets.Attackers disguise themselves as fake venture capital firms such as SolidBit, MegaBit, and Lumax Capital, sending collaboration invitations via LinkedIn and guiding victims to fake Zoom or Google Meet meeting links. The pages embed a fake Cloudflare "I am not a robot" verification button, which, when clicked, copies malicious commands to the clipboard and tricks users into pasting and executing them in the terminal, thus completing the attack. Researchers point out that this method circumvents traditional security mechanisms by "making victims execute commands themselves."Meanwhile, hackers are also hijacking browser extensions to carry out attacks. John Tuckner, founder of cybersecurity company Annex Security, revealed that the Chrome extension QuickLens, after changing ownership on February 1, released a new version containing malicious scripts two weeks later, triggering ClickFix attacks and stealing user data. The extension had about 7,000 users and has since been removed from the store. Reports indicate that the hijacked extension scans crypto wallet data and mnemonic phrases, and scrapes Gmail content, YouTube channel data, and web login or payment information.

GoPlus has released a security alert that a vulnerability in the Chrome browser allows malicious extensions to escalate privileges through the Gemini panel. Please upgrade your Chrome browser to version 143.7499.192 or above immediately.This vulnerability allows malicious extensions to control the Gemini Live panel in the Chrome browser, thereby escalating privileges to access the camera and microphone, take screenshots, access local files, and more without user consent. The vulnerability is identified as CVE-2026-0628, and Google has fixed it in the Windows/Mac versions 143.7499.192/.193 and the Linux version 143.7499.192 at the beginning of January 2026. Please check and upgrade your Chrome version immediately.

Binance Wallet announces that its extension now supports the TON network. Users can explore the TON dApp ecosystem and manage their assets, while developers can integrate via TON Connect to reach users.

According to a report from the security agency Socket's Threat Research Team, a malicious Chrome extension named "MEXC API Automator" has been available in the Chrome Web Store since September 1, 2025, capable of stealing users' newly created API keys from the cryptocurrency exchange MEXC and sending them to a Telegram bot controlled by the attacker.The extension lures users with the promise of trading automation, automatically generating MEXC API keys with withdrawal permissions without the user's knowledge, while hiding the display of these permissions in the interface, subsequently leaking the keys along with their ciphertext. This allows attackers to gain complete control over the victim's MEXC account, executing trades, initiating automatic withdrawal operations, and transferring assets within the account. As of the report's publication, the extension is still available for download in the Chrome Web Store, and the research team has reported and flagged this extension to Google.

GoPlus has launched a new feature in its browser extension, GoPredict, which provides event risk identification support for the prediction market Polymarket. GoPredict is based on the official Gamma API of Polymarket and conducts real-time risk analysis of market events from multiple dimensions, including event verifiability, market liquidity, and price volatility. It directly marks risk levels on the Polymarket event list page, helping users quickly identify potential high-risk events before placing bets, reducing the information asymmetry risk for ordinary users in the prediction market, and enhancing participation safety and decision-making efficiency.GoPredict is now available with the GoPlus browser extension, and users can download and experience it through the Chrome Web Store.

Trust Wallet posted on platform X that it is collaborating with Binance to provide a fast verification pathway for a specific group of users affected by the browser extension v2.68 incident, in order to simplify and expedite the compensation process.Binance.com users who deposited funds into the stolen wallet from their Binance accounts before December 24, 2025, can confirm ownership using their Binance accounts. Eligible affected users will receive an email notification from the Trust Wallet support team and will need to submit a verification video as instructed. Users who do not meet the fast verification criteria will continue with the original compensation process.

Trust Wallet posted on platform X that, as part of the reimbursement process, it has introduced a Customer Support Verification Code (CSVC) in the browser extension v2.71.0.Users can view this code by updating the browser extension and going to "Settings" - "Help & Support." This step is designed to confirm wallet ownership, streamline the verification process, and ensure that reimbursement funds are returned to the correct user. Trust Wallet reminds users to keep this code confidential and not to share it publicly.

Trust Wallet posted on X platform that the browser extension is now back on the Chrome Web Store. Additionally, version 2.71.0 has been released, which includes support for customer service verification codes to assist with the claims process.

Trust Wallet CEO Eowync.eth announced on the X platform the latest developments regarding the security incident of the browser extension v2.68, stating that the team has confirmed a total of 2,596 wallet addresses have been affected. Currently, approximately 5,000 compensation claims have been received, which include a large number of duplicate or invalid submissions attempting to fraudulently claim compensation for victims.He stated that accurately verifying wallet ownership is the core focus of the current work. The team is distinguishing between real victims and malicious submitters through multiple data cross-verification methods. The verification work is being conducted in parallel with the evidence collection investigation, and some cases have already formed clearer judgment conclusions, but the overall process is still ongoing.Eowync.eth emphasized that the impact of this incident on users has been fully recognized, and investigation and compensation are currently the highest priorities for Trust Wallet. The team will prioritize accuracy over speed, and will ensure that funds are safely returned to the correct users before promptly announcing further progress information, which is expected to be updated within the next day.

The founder of Slow Fog, Yu Xian, tweeted that the new version of the Trust Wallet browser extension has completely resolved the backdoor issue and no longer contains PostHog-related code. Previously, due to incorrect data from intelligence sources, it was mistakenly believed during analysis that PostHog had not been completely removed.PostHog is an open-source full-chain product analytics platform that can be used to collect various information for analysis. The Trust Wallet browser extension version 2.68.0 had a backdoor that utilized PostHog.

Trust Wallet has officially released a security alert, confirming that version 2.68 of the Trust Wallet browser extension has a security vulnerability. Users on version 2.68 should immediately disable the extension and upgrade to version 2.69 via the official Chrome Web Store link.Additionally, users who only use the mobile version and all other browser extension versions are not affected. The team is actively working on the issue and will share the latest updates as soon as possible.

According to the official announcement, the Binance Wallet extension has added support for custom networks. Currently, custom networks are only available for EVM-compatible chains. Users need to update their wallet extension to version 1.5.0 or higher.

According to PR Newswire, mining equipment manufacturer Canaan Inc. announced the extension of its $30 million stock repurchase plan, prolonging the previous share repurchase authorization to enhance shareholder returns and capital operation flexibility.The company may repurchase $30 million of its issued American Depositary Shares (ADS) over the next 12 months, with each ADS representing 15 shares of Class A common stock. Canaan Inc. had previously launched a stock repurchase plan, but it has now expired, totaling the repurchase of 6,586,413 American Depositary Shares (ADS) for approximately $4.9 million.