Malicious Chrome and Firefox browser extensions masquerading as free VPN tools ('VPN Go: Free VPN') were distributed via official extension marketplaces and later updated to include clipboard-stealing functionality. The extensions monitor clipboard contents on a timer, chunk copied text into ~1000-character segments, and exfiltrate data via HTTP GET requests to hardcoded attacker-controlled IP addresses using a /html/continue.php endpoint with uid, part, total, and data query parameters. Both extensions share infrastructure, code patterns, and build artifacts, confirming a common threat actor. The staged update pattern—initial versions functioning as legitimate proxy tools with later versions adding clipboard theft—highlights the risk of extension update supply chain compromise.