The security of digital assets remains a key concern as hacks are becoming a common phenomenon. Now, the MEGA Chrome extension (latest version 3.39.4) has been compromised and can steal user’s Monero in addition to other sensitive information, according to Monero's post on social media platforms Twitter and Reddit. The official Twitter account of Monero (XMR) posted a warning, advising XMR holders to steer clear of MEGA:

MEGA, a New Zealand-based company offering cloud storage and file hosting services also posted an announcement with details: "On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated."

Also Read: All you wanted to know about Monero

Another user SerHack @serhack_ tweeted:

Redditor u/gattacus posted on Monero’s official Reddit page that they became suspicious of foul play following a request for new permission following an extension update:

"There was an update to the extension and Chrome asked for new permission (read data on all websites). That made me suspicious and I checked the extension code locally (which is mostly javascript anyways). MEGA also has the source code of the extension on github https://github.com/meganz/chrome-extension. There was no commit recently. To me it looks either their Google Webstore account was hacked or someone inside MEGA did this. pure speculation though."

Four hours after the breach occurred, the trojaned extension was updated by MEGA with a clean version (3.39.5), autoupdating affected installations. Google removed the extension from the Chrome webstore five hours after the breach. MEGA said:

"Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

Earlier in February of this year, researchers from China’s 360Netlab reported that they have found a malware called ‘ADB.Miner’, which makes use of the phone’s hardware power to mine for Monero.