Fake Chrome Web Store Copyright Notices Target Extension Developers to Steal Google Logins

A new phishing campaign is targeting Chrome extension developers with fake copyright removal notices that pretend to come from the Chrome Web Store. The goal is to steal Google account credentials from developers who manage browser extensions.

According to a Malwarebytes threat report, the scam uses an official-looking takedown warning, a 48-hour deadline, and a fake Google sign-in window to pressure developers into entering their login details.

The risk goes beyond one stolen account. If attackers gain access to a Chrome Web Store developer account, they may be able to modify an existing extension or push a malicious update to users who already trust it.

How The Fake Chrome Web Store Notice Works

The phishing page claims that a developer’s extension faces removal over a copyright complaint. It asks the developer to enter an extension ID or Chrome Web Store listing link, which can make the process look like a normal verification step.

After the developer enters that information, the site pulls public details from the real listing, including the extension name, icon, and store page. The notice then shows those details next to a fake complaint number and a countdown timer.

This personalization makes the message feel more believable. The attacker does not need private information to do this because Chrome Web Store listing details are publicly visible.

Key Details At A Glance

Campaign type	Phishing attack against Chrome extension developers
Main lure	Fake Chrome Web Store copyright removal notice
Primary goal	Steal Google account credentials
Known phishing domain	dmca-chrome-extensions[.]click
Main warning sign	Third-party website asking for Google sign-in after a policy warning
Potential impact	Developer account takeover and possible malicious extension updates

Fake Login Window Makes The Scam More Convincing

The most dangerous part of the campaign is the fake sign-in window. It appears to show a Google login prompt with a padlock, title bar, and accounts.google.com text, but it sits inside the phishing page itself.

The Malwarebytes analysis says the fake window also changes its look depending on whether the visitor uses macOS or Windows. That small detail can make the prompt feel familiar enough to lower suspicion.

Developers can spot the trick by checking the real browser address bar. A genuine Google sign-in page should show a Google domain in the actual address bar, not just inside a graphic or embedded window on another website.

Why Extension Developer Accounts Are Valuable

Chrome extensions can receive automatic updates after installation. That makes developer accounts attractive targets because one compromised publisher account could affect many users at once.

A malicious update could add credential theft, tracking, ad injection, redirect behavior, or other unwanted actions. Users may not notice immediately because the update would arrive through an extension they already installed and trusted.

Google says developers should handle enforcement and appeal processes through the Chrome Web Store Developer Dashboard. The company’s Chrome Web Store support page says item enforcement appeals have moved into the Chrome Developer Console.

Warning Signs Developers Should Watch For

• The notice uses a countdown timer or urgent deadline to push immediate action.
• The page asks for a Google login on a non-Google domain.
• The sign-in window cannot move outside the browser tab.
• The window disappears when the browser is minimized.
• The message asks for extension details before showing a complaint.
• The notice does not appear inside the official developer dashboard.

Developers should avoid clicking links inside warning emails. The safer approach is to open the Chrome Web Store Developer Dashboard manually and check whether any warning, takedown notice, or appeal option appears there.

Google’s official appeal guidance also points developers back to the dashboard for account or item-level appeals. That makes any third-party copyright portal claiming to handle Chrome Web Store enforcement highly suspicious.

How Developers Can Protect Their Accounts

Developers should secure their Google accounts before they receive a phishing attempt. Stronger authentication can reduce damage even if a password gets exposed.

Google says passkeys provide stronger protection against phishing because they rely on a device-based sign-in method instead of a password that can be typed into a fake page.

• Use passkeys or a hardware security key for the Google account tied to Chrome Web Store publishing.
• Use a dedicated publisher account instead of a personal everyday account where possible.
• Review account recovery options and remove old phone numbers or email addresses.
• Limit who has access to the publisher account.
• Check published extension versions after any suspicious login attempt.
• Monitor Google account activity and sign out unknown sessions.

What To Do If Credentials Were Entered

If a developer entered a password on the fake page, they should act immediately. The first step is to change the Google password from a clean device and sign out of all active sessions.

The developer should then enable stronger authentication through the Google Account passkeys help page or a hardware security key. They should also review Chrome Web Store listings for any unexpected drafts, updates, permission changes, or publisher account changes.

Teams should treat the incident as more than a simple password reset. If attackers accessed the account, they may have reviewed extension code, prepared a malicious update, changed recovery details, or attempted to add new access paths.

FAQ