A new large-scale browser security incident has compromised millions of users worldwide. Eighteen popular Chrome and Edge extensions, once trusted by users, have been quietly turned into malicious tools, redirecting users to phishing websites and collecting sensitive browsing data. This alarming discovery highlights the growing threat of ‘sleeper agent’ extensions—tools that start off clean but turn rogue through stealth updates.
What Happened?
Security researchers uncovered that cybercriminal secretly hijacked 18 well-known browser extensions, targeting more than 2.3 million users. These extensions, initially legitimate, were updated with malicious code that activates every time users visit a new website. The compromised extensions began capturing visited URLs, tracking user behavior, and in some cases, redirecting users to dangerous sites delivering malware or phishing scams.
List of Known Malicious Extensions:
- Emoji Keyboard
- Free Weather Forecast
- Video Speed Controller
- Unlock Discord
- Dark Theme
- Volume Max
- Unblock TikTok
- Unlock YouTube VPN
- Color Picker (Geco)
- Weather (various versions)
The list also includes Edge-specific extensions such as Volume Booster, SearchGPT, and Flash Player. Even extensions with thousands of positive reviews and verified badges were weaponized in this attack.
How Did This Happen?
The weaponization happened through auto-updating mechanisms that browsers like Chrome and Edge use by default. Once you grant permissions and trust to these extensions, future updates can silently introduce malicious behavior without notifying the user. This method allowed attackers to bypass initial security checks and deliver harmful payloads months or even years after the extension’s original release.
The Malicious Behavior:
- Collecting all visited URLs
- Logging unique user IDs
- Silent redirection to phishing or malware sites
- Potential for credential theft and spyware delivery
What Should Users Do?
- Check your browser extensions:
-
- In Chrome: Menu → More Tools → Extensions
- In Edge: Settings → Extensions
- Remove any suspicious or listed extensions immediately.
- Clear your browsing data: Make sure you erase Cookies, History, and Cached files.
- Run a full antivirus and malware scan using trusted tools like Malwarebytes or Windows Defender.
- Reset browser settings to default:
-
- Change homepage and search engine back to safe defaults.
- Change passwords for any sensitive accounts accessed recently and enable two-factor authentication (2FA).
The Bigger Picture: Sleeper Agent Threats
This incident underscores a broader systemic problem: extensions that appear safe at first can become malicious over time. Chrome Web Store and Microsoft Edge Add-ons have limited ability to detect and block malicious code added in updates. As a result, users can be compromised long after installing what seemed to be a trusted tool.
Final Thoughts
Browser extensions can be incredibly useful, but they also pose serious risks when abused. Users must remain vigilant, regularly review installed extensions, and remove those that are unnecessary or suspicious. Cybersecurity is an ongoing process—staying informed and proactive is the best defense against emerging threats.
Stay safe online!
