Security researches at Koi Security recently uncovered a significant security breach involving a network of malicious browser extensions that have infected over 2.3 million users across Google Chrome and Microsoft Edge browsers. The campaign exposes vulnerabilities in how major web marketplaces verify and monitor extensions, highlighting the potential for widespread abuse.
The research team identified 18 browser extensions masquerading as useful tools—ranging from emoji keyboards and weather updates to video controllers and VPN proxies. These extensions appeared legitimate, often holding verified badges or featured spots in official stores, which is typically a mark of trustworthiness. However, beneath this facade, they contained malicious code designed to hijack user browsers and conduct covert surveillance.
How It Operates
The malicious extensions were initially innocuous, functioning as advertised for years. But through silent updates—a standard process for distributing improvements or fixes—attackers injected malicious payloads into the extensions’ codebases. Once updated, these extensions began monitoring user activity by tracking every webpage visited. They would send URL data to remote command-and-control servers, which could then instruct the extensions to redirect users or inject malicious content.
This in-browser hijacking mechanism is sophisticated. Every time a user visits a webpage, the extension’s background script intercepts the visit, reports it, and can redirect the browser to malicious sites. This enables attackers to perform phishing attacks, steal login credentials, or deploy malware—all without any direct user interaction.
Over 2.3 million users across both browsers have installed these extensions, many unaware of the threat.Some of these extensions held verified status or were featured prominently in marketplaces showing a gap in the review and verification processes.
The campaign’s broad range of functional tools—such as unblocking TikTok or boosting volume—also demonstrates how attackers abuse user trust, turning seemingly legitimate utilities into attack vectors.
This case exposes critical vulnerabilities in the security models of browser extension marketplaces. Verification badges and positive reviews, which are intended to ensure safety, can be exploited to facilitate malicious campaigns. Furthermore, the reliance on silent update mechanisms—while convenient for developers—can be abused by threat actors to introduce malware after initial benign operation.
Implications for Users and Enterprises
For users, it’s key to exercise caution when installing extensions, even those that seem trustworthy. For organizations, this highlights the importance of rigorous vetting processes for the software used within corporate environments and the need for advanced monitoring solutions to detect malicious behavior.
Users should review their installed extensions, remove any suspicious or unnecessary ones, and monitor accounts for unusual activity.
Check out Koi Security’s findings including list of extensions and network IOCs here.
Leave a Reply