[stuffoverflow]

Basically they first need to get a remote shell and are then able to replace the extension source with the modified one.

This article does a good job explaining it more in depth.[0]

0: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is...

[n_ary]

Thanks! That is some extensive level of social engineering, reconnaissance and exploiting. Takes a lot of patience and discipline to pull such sophisticated heist.