A Google Chrome extension named Desbloquear Contuedo has been found to contain a rare banker malware.
Having been removed by the Chrome Web Store, the extension was identified as HEUR:Trojan-Banker.Script.Generic.
The man-in-the-middle (MitM) extension was targetting users of a Brazilian online banking service with the goal of collecting logins and passwords.
MitM attacks redirect people to spoof websites, with the victim being under the impression that they are connected to a legitimate site.
This allows hackers to harvest the personal date being inputted into the spoof website.
Interestingly in this case, the developers made no effort to obscure the source code.
The FindProxyForUrl function was also replaced with a new task that redirected traffic from the bank to the malicious server.
Vyacheslav Bogdanov, a researcher who discovered the attack, said: "Browser extensions aimed at stealing logins and passwords are quite rare in comparison to adware extensions, but given the possible damage that they can cause, it is worth taking them seriously."