Browser extension Phishing attack

cableghost · February 10, 2026, 5:01pm

I’ve narrowed this supposed-phishing attack to the Bitwarden browser extension. Norton indicates it’s ‘Safe’, however, this alert just started popping up since ext update. I’ve had the browser extension for years, along w/ Norton, and Norton did make any adjustments to phishing attack code.
Please advise.

Norton notification…

Details

Threat name: URL:Phishing
Threat type: Phishing - This is a scam designed to steal sensitive information like your credit card number, banking credentials, or passwords.
Status: Aborted
Detected by: Safe Web

Origin

Downloaded from: https://phish.co.za/latest/phishing-links-ACTIVE.txt

Activity

Path | Type | Status
https://phish.co.za/latest/phishing-links-ACTIVE.txt | URL | Blocked

Nail1684 · February 10, 2026, 5:12pm

… I think, this was answered / “resolved” on Reddit today: https://www.reddit.com/r/Bitwarden/comments/1r0w65l/chrome_browser_extension_suspicious_connection/

(short summary: the URL https://phish.co.za/... belongs to Phishing Database · GitHub which Bitwarden uses for the new Phishing Blocker in the browser extension – so it seems like a false positive by Norton)

grb · February 11, 2026, 12:05am

Quoted from Bitwarden support in the Reddit thread:

Norton is generating a false positive because the domain name contains “phish” and the file contains a list of phishing domains.

So evidently, they think that a real attacker would actually use a domain name containing the word phish!!?!

system · March 13, 2026, 12:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.