"Cybersecurity researchers have disclosed details of a malicious Google Chrome extension that's capable of stealing API keys associated with MEXC, a centralized cryptocurrency exchange (CEX) available in over 170 countries, while masquerading as a tool to automate trading on the platform. The extension, named MEXC API Automator (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh), has 29 downloads and is still available on the Chrome Web Store as of writing. It was first published on September 1, 2025, by a developer named "jorjortan142.""
"In doing so, the installed extension enables a threat actor to control any MEXC account accessed from the compromised browser, allowing them to execute trades, perform automated withdrawals, and even drain the wallets and balances reachable through the service. "In practice, as soon as the user navigates to MEXC's API management page, the extension injects a single content script, script.js, and begins operating inside the already authenticated MEXC session," Socket added."
The MEXC API Automator Chrome extension (ID: pppdfgkfdemgfknfnhpkibbkabhghhfh) was published on September 1, 2025 by developer "jorjortan142" and has 29 downloads on the Chrome Web Store. The extension advertises automated trading by generating API keys with trading and withdrawal permissions on the management page. When a user opens MEXC's API management page the extension injects script.js into the authenticated session, programmatically creates an API key with withdrawals enabled, tampers with the UI to hide that permission, and exfiltrates the API key and secret to a hardcoded Telegram bot. The stolen keys allow attackers to execute trades, perform automated withdrawals, and drain accessible wallets and balances.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]