CyberSecurityBoardThreat Intel · CVEs · Products
Malware

Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability

June 25, 2026

An analysis of a popular Google Chrome ad block extension for YouTube, named Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), has uncovered the ability to execute arbitrary JavaScript code. According to Island, the extension has more than 10 million installs and carries a Featured badge on the Chrome Web Store. While the add-on offers the promised functionality of blocking ads on YouTube, it also features capabilities to run arbitrary JavaScript code on any website, activated by a single server-side configuration change, without an extension update, store review, or visible sign of change.

Researchers Oleg Zaytsev and Shachar Gritzman reported that this could mean reading pages, stealing data, and acting as the user inside personal accounts, work apps, admin panels, and other sensitive browser sessions. There is no evidence that malicious payload has been distributed, but the presence of the capability, coupled with ties to other ad-blocking extensions removed for malware, raises privacy and security risks. Related extensions taken down include Adblock for Chrome, Adblock for You, and AdBlock Suite.

Adblock for YouTube has been on the Chrome Web Store since 2014, changing ownership in 2018. Early versions shipped with an ad-injection SDK named Unistream SDK, removed in June 2024. Remote-controlled script injection paths have been present since February 2025, allowing creation of arbitrary elements using a bespoke scriptlet rule (trusted-create-element). At the time of analysis, this capability was dormant but could be activated server-side. The extension runs on every website, with a URL check for ‘youtube.com’ that can be trivially bypassed.

The disclosure also comes as Palo Alto Networks Unit 42 detected 18 browser extensions impersonating consumer brands to monetize through affiliate marketing, opening .shop domains in new tabs.

CVEs: CVE-2026-11645

Malware: Unistream SDK

Companies: Island, Palo Alto Networks, Unit 42

Products: Adblock for YouTube, Adblock for Chrome, Adblock for You, AdBlock Suite