The  Hacker News is reporting on a spearphishing attack that has compromised over 1 million people.

How could this happen?  Over one million users use the popular chrome extension “Web Developer.” The bad guys spearphished the developer of “Web Developer” and then used the access they gained from spearphishing to modify “Web Developer” and push the modified code to over 1 million users.  The malicious version of “Web Developer” turned the victim’s web browser into an advertising nightmare by injecting ads on web pages.  It took several hours for the real developer of “Web Developer” to correct the problem and issue an update.  The bad guys had the potential to earn substantial ad commissions during the period that “Web Developer” was compromised.  What else they did is not known.  The bad guys could have done all sorts of things — even stealing passwords. The Hacker News article offers defensive advice for users of “Web Developer.”