Almost a dozen malicious extensions with 1.7 million downloads in Google's Chrome Web Store could track users, steal browser activity, and redirect to potentially unsafe web addresses. According to the researchers, most of the malicious functionality is implemented in the background service worker of each extension using the Chrome Extensions API, registering a listener that is triggered every time a user navigates to a new webpage. Researchers at Koi Security, a company providing a platform for security self-provisioned software, discovered the malicious extensions in Chrome Web Store and reported them to Google. Before publishing this article, Koi Security researchers discovered that cybercriminals have also planted malicious extensions in the official store for Microsoft Edge, which shows a total count of 600,000 downloads. One of them, ‘Volume Max — Ultimate Sound Booster,’ has also been flagged by LayerX researchers last month, who warned about its potential for spying on users; but no malicious activity could be confirmed at the time. "Combined, these eighteen extensions have infected over 2.3 million users across both browsers, creating one of the largest browser hijacking operations we’ve documented," the researchers say. Many of those extensions are verified, have hundreds of positive reviews, and are featured prominently on the Chrome Web Store, misleading users about their safety. Furthermore, the malicious code was not present in the initial versions of the extensions, but was introduced at a later time via updates. Given that some of these extensions were safe for years, it is possible that they were hijacked/compromised by external actors who introduced the malicious code.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 08 Jul 2025 14:05:14 +0000