Security researchers recently uncovered a major privacy breach involving 18 browser extensions for Google Chrome and Microsoft Edge that were secretly monitoring users’ online activity. These extensions were downloaded over 2.3 million times from official web stores, appearing to offer helpful utilities — from emoji keyboards to weather updates and dark themes.

Despite looking legitimate, some of these extensions operated as “sleeper agents”: clean when initially published, but later updated to include malicious code that hijacked browser behavior. This strategy allowed them to bypass initial security checks and build trust with users before activating harmful features.

What Did These Extensions Do?

Once activated, the malicious code enabled a browser hijacking mechanism that executed each time a user opened a new page. Specifically, they could:

• Capture URLs of the pages users visited.
• Send this data to remote servers with a unique tracking ID.
• Receive redirect instructions from a command-and-control (C&C) server.
• Redirect users to malicious sites without their consent.

One example provided by researchers involves a scenario where a user clicks a legitimate Zoom link, only to be redirected to a fake site prompting them to download a “critical update.” In reality, this trick could install malware and give attackers deeper access to the system.

Most of the extensions have since been removed from the Chrome and Edge web stores. However, millions were affected — showing that even official platforms can host dangerous software.

Why This Matters

These events remind us that not all extensions in official stores are safe, although downloading from external sources is riskier. Even legitimate-looking extensions with good reviews and verified badges can be weaponized later through updates.

What You Should Do

If you’ve used any of the following extensions, it’s time to take action:

Potentially Malicious Chrome Extensions:

• Emoji keyboard online
• Free Weather Forecast
• Unlock Discord
• Dark Theme
• Volume Max
• Unblock TikTok
• Unlock YouTube VPN
• Geco colorpick
• Weather

Potentially Malicious Edge Extensions:

• Unlock TikTok
• Volume Booster
• Web Sound Equalizer
• Header Value
• Flash Player
• Youtube Unblocked
• SearchGPT
• Unlock Discord

Steps to Stay Secure:

1. Uninstall suspicious extensions immediately.
2. Clear all browsing data (cookies, cache, history) to remove tracking data.
3. Reset your browser settings to default.
4. Change passwords for sensitive accounts, especially if accessed recently.
5. Enable two-factor authentication wherever possible.
6. Monitor accounts for unusual activity or login attempts.
7. Run a full antivirus/malware scan on your system using tools like Malwarebytes.

A Final Word of Caution

If a browser extension suddenly requests new permissions after an update, stop and review what it’s asking. If it doesn’t align with the extension’s purpose, consider removing it.

At Nubetia, we help organizations stay ahead of cybersecurity threats like these. Contact us to learn how we can protect your digital assets from the inside out.

🔒 Visit www.nubetia.com to learn more.

Source: https://www.malwarebytes.com/blog/news/2025/07/millions-of-people-spied-on-by-malicious-browser-extensions-in-chrome-and-edge