Malicious browser extensions trapped by spying 2 million users
NEWNow you can listen to News articles!
Every day, millions of people install small browser accessories that believe they will improve productivity or entertainment. With so many options available at the Chrome web store, users often trust trusted markers such as facilities counts, user reviews and developer reputation to choose from. Many look at the bright verification badges and five -star classifications, assume that the research process was solid and click on “install” without thinking twice.
But the attackers have begun to exploit these same signals. Recently, the researchers discovered a campaign where 18 browser extensions, all listed in official Chrome and Edge websites, tracked the user activity. These extensions had already accumulated more than 2 million facilities.
Register for my free Cyberguy report
Get my best technological tips, urgent security alerts and exclusive offers delivered directly to your inbox. In addition, you will get instant access to my definitive scam survival guide, free when it joins me Cyberguy.com/newsletter
A person who uses Google on a laptop. (Kurt “Cyberguy” Knutsson)
How hackers are hiding malware in popular chrome extensions
Koi security researchers discovered that the attackers used long -term strategic tactics to assemble browser extensions. First, they launched functional and legitimate public services to gain user confidence. Over time, these extensions collected positive reviews and built a solid reputation. Then, after months or even years of quiet operation, the attackers promoted a silent update that injected malicious scripts into the reliable code base.
Since these updates come directly from official sources, corporate firewalls were easily omitted. Unlike phishing electronic emails or bleak discharges, the malicious code came through routine and automatic updates and did not raise immediate red flags.
How malicious chrome extensions evade detection and spread
As the investigation advanced, the researchers tracked suspicious traffic to an apparently harmless color selection extension. This led them to a cluster of connected domains, each acting as a command and control center. These servers recorded all URL users visited and issued commands to force redirects to false websites or heavy destination pages.
Then, the team analyzed the extension code more closely and discovered digital footprints coinciding in several unrelated tools. These included meteorological widgets, emoji keyboards, video speed controllers and volume reinforcements. Although they seemed different on the surface, they shared the underlying code and behavior.
How 432 robots are relocating a 7,500 tons historic building
Together, these extensions reached more than two million facilities. To avoid detection, the attackers used separate brands and categories for each one, which makes it difficult for market monitors to detect patterns. Even more worrying, many of the extensions carried a verified badge, which shows how the attackers manipulated automated review systems using malicious version updates.
A person who uses Google on a laptop. (Kurt “Cyberguy” Knutsson)
Complete list of dangerous chrome and edge extensions to uninstall now
The first priority for affected users is the immediate elimination of the extensions listed, followed by an exhaustive cache elimination and the complete explorations of the system. See your computer to see if you have any of these malicious extensions, and if you do, get rid of them.
- Emoji keyboard Online (Chrome)
- Free weather forecast (Chrome)
- Unlock Discord (Chrome)
- Dark theme (chrome)
- Max volume (chrome)
- Tiktok unlock (Chrome)
- Unlock the YouTube VPN (Chrome)
- GECO COLORPICK (Chrome)
- Climate (chrome)
- Flash video player (Chrome)
- Unlock Tiktok (edge)
- Reinforcement volume (edge)
- Web sound equalizer (edge)
- Header value (edge)
- Flash Player (Edge)
- Unlocked YouTube (Edge)
- Searchgpt (Edge)
- Unlock discord (edge)
Immediate actions that must be taken
If you have any of the extensions linked to the reddirection campaign installed, take these steps immediately to protect your data and devices:
- Eliminate all affected extensions immediately of Chrome and Edge browsers.
- Delete your browser data To eliminate stored monitoring identifiers.
- Execute a complete system’s malware scan Use of accredited antivirus software to detect any additional threat.
- Monitor your accounts online closelAnd for any unusual or suspicious activity, especially if it agreed to sensitive sites while the extensions were active.
- Check all your installed extensions For any suspicious behavior or unknown origins, and eliminate everything that does not recognize or trust.
A person who writes on a laptop. (Kurt “Cyberguy” Knutsson)
6 ways in which it can be protected from malicious extensions
1) Verify your accounts for an unusual activity: If you agreed to confidential sites (such as online banking) while the extension was active, check those accounts for suspicious behavior and change your passwords immediately. Consider using a password administrator, which stores and generates complex passwords, reducing the risk of password reuse.
What is artificial intelligence (AI)?
See the best password administrators reviewed by 2025 experts in Cyberguy.com/Passwords
2) enable two factors authentication (2FA): Add an additional safety layer to your accounts by activating 2fa where you are compatible. You can avoid unauthorized access even if your password is compromised.
3) Use strong antivirus software: Although these malicious extensions come from official stores and are automatically updated, strong antivirus software can help detect suspicious activities such as hidden trackers, injected scripts or unauthorized redirects. Antivirus adds a crucial layer of scan protection for threats that browse can only be lost, but must be combined with safe navigation habits to obtain the best results.
Get my elections for the best 2025 antivirus protection winners for their Windows, Mac, Android and iOS devices in Cyberguy.com/Lockupyoutech
4) Restore the configuration of your browser: Restoring your browser to your predetermined state can reverse unwanted changes on your home page, search engine or other configurations.
Get the News business on the fly by clicking here
5) Observe security alerts: Be attentive to your email and text messages for login warnings or the access alerts to the services you use. These can help you detect an early unauthorized activity.
6) Use a browser with extension permit controls: Some browsers allow you to limit what data extensions can access (for example, “only click” or “only in specific places”). This can reduce the risk of future attacks.
Kurt key takeway
Navigator extensions can be useful, but they also carry hidden risks. As this case shows, even the trusted tools of official stores can become malicious without prior notice. That is why it is worth maintaining alert, reviewing their extensions regularly and using solid antivirus protection. Some simple habits can contribute greatly to keep your browser and safe personal data.
Click here to get the News application
Do you trust grades and reviews when choosing extensions, or more cavas? Get us knowing in Cyberguy.com/contact
Register for my free Cyberguy report
Get my best technological tips, urgent security alerts and exclusive offers delivered directly to your inbox. In addition, you will get instant access to my definitive scam survival guide, free when it joins me Cyberguy.com/newsletter
Copyright 2025 Cyberguy.com. All rights reserved.
Kurt “Cyberguy” Knutsson is a award -winning technological journalist who has a deep love for technology, equipment and devices that improve life with their contributions for News & News Business Startzing Mornings in “News & Friends”. Do you have a technological question? Get the free Kurt’s free newsletter, share your voice, an idea of the story or comment on Cyberguy.com.