16 hijacked browser extensions expose 3.2 million users

These extensions, which appeared genuine, were secretly embedding harmful scripts, stealing data and manipulating search results. 

Originally built for tasks like ad blocking, emoji input and screen recording, these extensions were repurposed through covert updates that exploited the extensive permissions users had granted, enabling real-time manipulation of web activity.

Several of the compromised extensions are commonly utilized and may be present in your browser. For instance, ad blockers such as AdBlock are valued for eliminating disruptive advertisements and enhancing browsing privacy. However, in this breach, these tools were manipulated to deliver malicious payloads. The following extensions have been identified as affected:

If any of these extensions are installed on your browser, it is recommended that you assess their permissions and consider their removal until official security updates are verified.

The malicious extensions bypassed Content Security Policy protections, which are designed to prevent cross-site scripting attacks, allowing attackers to modify web content without detection. They also communicated with command-and-control servers to receive further instructions, showing a high level of coordination. The attackers exploited the trust users place in the Chrome Web Store and its automatic update system. Investigations suggest this activity has been ongoing since at least July 2024.

If you have installed one of the above-mentioned extensions on your browser, remove it as soon as possible. To remove an extension from Google Chrome, follow these steps:

Here are 6 ways to safeguard your sensitive information and maintain your online privacy:

2. Install extensions only from trusted sources: Official browser stores like the Chrome Web Store or Firefox Add-ons have rules and scans to catch bad actors, but they're not perfect. Extensions from random websites or third-party downloads are far more likely to hide malware or spyware. Stick to the official store for your browser - don't download extensions from sketchy links. 

4. Be skeptical of extensions requesting unnecessary access: Some extensions overreach on purpose. A calculator tool asking for your browsing history or a weather app wanting your login data is a huge red flag.

Before installing, ask: "Does this permission match the extension's job?" If the answer's no, don't install it. Watch out for broad permissions like "Read and change all your data on websites you visit" unless it's clearly justified (e.g., a password manager). If an update suddenly adds new permission requests, dig into why. It might mean the extension has been sold or hacked.

Browser extensions can improve functionality but also pose significant security risks if not carefully managed. If you have any of the above extensions installed in Chrome, you should remove them immediately. Treat your browser as a key part of your digital security. Regularly check your extensions, remove unnecessary permissions and be cautious about automatic updates, even from trusted sources.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com. All rights reserved.