Chrome and Edge users targeted by malicious extensions and how to stay safe online

Malicious extensions are now targeting Chrome and Edge

Recent investigations revealed that Chrome and Edge users are being targeted through malicious browser extensions, many of which appeared completely trustworthy.

These compromised add-ons collected browsing data and redirected users to unwanted websites. Alarmingly, some had millions of downloads and even carried verified badges.

The extensions acted as “sleeper agents,” operating safely for months before silently introducing harmful code through routine updates.

Millions of users were compromised without knowing it

Security researchers uncovered that 18 known malicious extensions reached over 2.3 million users globally. Popular extensions like weather widgets, VPNs, and color pickers secretly tracked user activities.

Since these plugins came from official stores, users trusted them implicitly, allowing attackers to harvest data unnoticed. The scale of this incident demonstrates that even verified extensions can pose significant threats.

Trusted extensions turned into silent cyber threats

Attackers used a cunning strategy: release functional, benign extensions to build trust, then later update them with hidden malicious code. Since these updates were delivered through official channels, security systems didn’t flag them.

This method allowed malicious scripts to bypass corporate firewalls and infect millions of users without raising suspicion. It’s a stark reminder that trust in app stores isn’t enough.

Extensions are powerful data collection tools

Most browser extensions request broad permissions to function, including the ability to read and change all data on visited websites. This level of access makes them potent tools for cybercriminals if misused.

Once compromised, an extension can log your passwords, financial data, browsing history, and even inject harmful scripts directly into webpages you visit.

Standard extension types hide the most significant risks

The list of malicious extensions included VPN proxies, emoji keyboards, video controllers, volume boosters, and even basic weather tools. What’s alarming is how common and seemingly harmless these extensions appeared.

Many users install such utilities routinely, unaware of the hidden risks. This underscores how everyday digital habits can open the door to cyberattacks.

Hijacked updates brought danger into trusted apps

Researchers revealed that compromised extensions often operated safely for months before attackers issued malicious updates. These updates turned previously safe extensions into surveillance tools.

Because these updates came from the original developers, browser stores allowed them without suspicion, proving how attackers can abuse automated update systems to spread malware silently.

Remote servers controlled hijacked browsers silently

In some cases, the compromised extensions acted as silent observers, logging every website you visited and transmitting this information to their remote servers without any visible signs of activity.

These command-and-control servers could even send real-time instructions to force redirects, replacing legitimate sites with phishing pages or malicious download portals.

This stealthy mechanism enabled attackers to manipulate your browsing flow, potentially leading to credential theft and malware infections.

Major stores failed to block malicious extensions quickly

Despite complaints from users and cybersecurity experts, malicious extensions remained available on Chrome and Edge web stores for months, sometimes years. Even after exposure, not all dangerous extensions were removed promptly.

This shows a troubling gap in moderation and security enforcement in these official stores, highlighting why users can’t rely solely on store approvals for safety.

Koi Security’s Operation RedDirection exposed the scheme

Koi Security, a cybersecurity research team, coined the term “Operation RedDirection” for this mass browser hijacking campaign. Their research uncovered a sprawling network of malicious extensions operating in plain sight.

They traced the operation back to a cluster of suspicious domains that functioned as command hubs for controlling compromised extensions.

Dangerous extensions included popular utility tools

These extensions often masqueraded as useful utilities, such as VPNs, dark themes, or productivity tools, making them attractive to unsuspecting users.

Many had high user ratings and positive reviews, which likely helped them bypass scrutiny and maintain trust within official extension stores. Alarmingly, some were even featured or verified by platform moderators, further misleading users.

Researchers found a wider network of compromised plugins

These malicious extensions often appeared harmless, offering popular services like ad blocking, video management, and document editing.

However, hidden within their code were mechanisms to monitor every online action, alter webpage content, and even inject malicious scripts silently.

Security researchers noted that some of these extensions operated as sleeper agents initially, clean to build user trust before receiving covert updates that enabled their spying functions.

Extensions can act as secret data-siphoning bots

This covert operation exploited individual users and posed serious risks to businesses, especially those relying on corporate networks.

With browsers effectively hijacked, attackers could bypass bot detection systems, strip security headers, and impersonate legitimate traffic.

Experts warn that compromised browsers operating behind VPNs or within secured networks could unintentionally expose internal resources to external threats.

Check your browser now for these dangerous extensions

Users should immediately review their browser extensions and uninstall suspicious or unfamiliar ones. Key names to remove include Emoji Keyboard Online, Free Weather Forecast, Geco ColorPick, Volume Max, Unlock Discord, and any plugins resembling VPN unlockers.

Even verified extensions can’t be trusted if they were part of this malicious operation.

Clearing browser data can help reduce tracking risks

Additionally, reset your browser’s settings to their default state to reverse any unauthorized changes made by malicious extensions, such as altered homepages or search engines.

It’s also wise to update your browser to the latest version, ensuring any newly patched vulnerabilities are applied.

For added security, consider changing passwords, especially for sensitive accounts accessed while infected. Enabling two-factor authentication further strengthens your defenses.

Monitor your accounts for signs of compromise

Keep a close watch on your online accounts in the weeks after removing malicious extensions. Look for unauthorized logins, password reset requests, or unfamiliar activity, especially for financial services and email platforms.

Enable security alerts from your providers to catch unusual access attempts early. Watch out for emails about login attempts from unknown devices, location-based alerts, or password change confirmations you didn’t request.

Curious how browsing might change soon? See how OpenAI is building a browser that could skip Google entirely.

Stay vigilant and review extensions regularly

Also, avoid downloading extensions from unofficial third-party websites, as these sources often bypass the security checks of official stores.

Before installing any add-on, research the developer’s credibility and read user reviews carefully, watching for recent complaints or permission changes.

Stay alert for unexpected browser behaviors like homepage changes or search redirects; these could signal hidden threats.

Curious how big tech is stepping in? Find out why Microsoft’s now blocking Google Chrome to ‘protect families.

What do you think about Google Chrome and Edge being targeted by a cyber attack? Is your data safe online? Please share your thoughts and drop a comment.

Read More From This Brand:

• Google Upgrades Android And Chrome With AI And Accessibility Tools
• Google Launches Gemini Integration Right Inside Chrome
• Your Chromecast is Still Broken and Google Knows

Don’t forget to follow us for more exclusive content on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.