A Silent Threat: Popular Chrome Browser Extensions That Could Be Stealing Your Data

July 8th, 2025

❓ What:

• Researchers at Koi Security discovered nearly a dozen Chrome extensions on the official Web Store with approximately 1.7 million combined installations. These extensions, disguised as helpful tools—such as color pickers, VPNs, emoji keyboards, and more—contain hidden malicious capabilities.

• The malicious code, inserted into the extensions via later updates, registers a background listener to capture every visited URL. Data and a unique user ID are sent to a remote server, which could deliver redirect commands to unsafe websites. The extension updates are rolled out silently and automatically by Google's auto-update system without requiring interaction from the end-user.

• Compromised extensions were also found in the Microsoft Edge store, adding another 600,000 installs, making the total infected users over 2.3 million.

⚠️ Impact:

• Privacy breach & tracking: Every site visited by a user with one of the extensions was logged—not just for data analytics, but potentially for targeted phishing or surveillance.

• Browser hijacking: Extension hosting servers can redirect users to malicious and/or phishing pages, escalating the threat landscape beyond passive monitoring.

• Trust erosion: Many identified extensions were legitimate, verified extensions with good reviews and high Web Store rankings, allowing them to bypass user suspicion.

• Stealth deployment: The malicious payload was introduced via automatic Google updates, without user consent

💡 Recommendations:

• It is recommended to remove any of the following Chrome extensions:

  1. Color Picker, Eyedropper

  2. Emoji keyboard online

  3. Free Weather Forecast

  4. Video Speed Controller

  5. Unlock Discord

  6. Dark Theme

  7. Volume Max

  8. Unblock TikTok

  9. Unlock YouTube VPN

  10. Unlock TikTok

  11. Weather

• Once browser extensions have been removed, clear browsing data to delete tracking identifiers and run an anti-virus scan.

• Implement enterprise extension whitelisting or blocking via administrative tools. Monitor updates and revoke auto-update privileges for riskier add-ons.

• Educate users to reassess browser extensions regularly—especially those with access to tabs, URLs, and redirection APIs.

• Use automated third-party tools or frameworks to analyze extensions post-deployment for anomalous or malicious behavior (e.g., hidden tracking, URL exfiltration).

Read the full article HERE