Web Developer 0.4.9, Chrometana 1.1.3, Infinity New Tab 3.12.3, Copyfish 2.8.5, Web Paint 1.2.1, and Social Fixer 20.1.1 were compromised in late July and early August. Kafeine believes TouchVPN and Betternet VPN were also comprised in late June with the same technique.
The main intent of the attack on Chrome extension developers is to divert Chrome users to affiliate programs and switch out legitimate ads with malicious ones, ultimately to generate money for the attacker through referrals.
The attackers have also been gathering credentials of users of Cloudflare, an availability service for website operators, which probably could be used in future attacks.
The hijacked extensions were coded mostly to substitute banner ads on adult websites, but also a range of other sites, and to steal traffic from legitimate ad networks.
At least one of the affiliate programs receiving the hijacked traffic promoted PCKeeper, a Windows-focused tool originally from ZeobitLLC, the maker of the MacKeeper security product that was the subject of a class action suit a few years ago over false security claims.
The phishing emails that compromised developers' Google Accounts purported to come from Google's Chrome Web Store team, which claimed the developer's extension didn't comply with its policies and would be removed unless the issue was fixed.
As Bleeping Computer recently reported, Google's security team has sent an email warning to Chrome extension developers to be on the lookout for phishing attacks. The attackers had created a convincing copy of Google's real account login page.