Summary of the attack :)

• User visits a malicious or compromised site.
• The site injects hidden forms or buttons that appear normal to the user.
• The user interacts with the site (click, hover, etc.).
• The extension responds automatically (e.g., autofills credentials) into the hidden fields.
• Attacker captures the credentials or other sensitive data.

Thanks for this. Disabling auto fill on my manager now.

Seems attacks rely on javascript, so blocking scripts with NoScript or similar is good as a primary defense.

I also disabled manual autofill - and switched to copy/paste only.

Plus as per the article I did the following:
Extension settings → site access → "on click"

With this setting, the browser extension will not access the site. The user can temporarily grant access by clicking on the extension icon in the upper right corner.

Edit: moved to the desktop client instead of the browser extension. Seemed the safest move.

Hello reddit I request this Instagram account ben (name of =@tet.eranglong