Cybersecurity researchers have detected 73 extensions with the information-stealing campaign. Six of the extensions were reported malicious, while the rest were initially harmless until users updated the package. Unsuspected developers were tricked into installing the extensions because it had the same icon and description as the original packages. They created visual trust before serving malware to the users. The end goal was to run malware that avoids Russian systems, steal data, install a trojan, and deploy a Chromium-based extension. More than 320 artifacts were identified since December 21, 2025.