Malicious browser extensions caught spying on 2 million users

Every day, millions of people install tiny browser add-ons they believe will improve productivity or entertainment. With so many options available on the Chrome Web Store, users often rely on trust markers like install counts, user reviews and developer reputation to make their choice. Many glance at shiny verification badges and five-star ratings, assume the vetting process was solid, and click “Install” without thinking twice.

But attackers have started to exploit these very signals. Researchers recently uncovered a campaign where 18 browser extensions, all listed on the official Chrome and Edge Web Stores, tracked users’ online activity. These extensions had already racked up more than 2 million installs.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM/NEWSLETTER

How hackers are hiding malware in popular Chrome extensions

Koi Security researchers discovered that attackers used long-term, strategic tactics to weaponize browser extensions. First, they released functional and legitimate utilities to gain user trust. Over time, these extensions collected positive reviews and built a solid reputation. Then, after months or even years of quiet operation, the attackers pushed a silent update that injected malicious scripts into the trusted codebase.

Since these updates came directly from official sources, they easily bypassed corporate firewalls. Unlike phishing emails or shady downloads, the malicious code arrived through routine, automatic updates and raised no immediate red flags.

How malicious Chrome extensions evade detection and spread

As the investigation progressed, researchers traced suspicious traffic back to a seemingly harmless color picker extension. This led them to a cluster of connected domains, each acting as a command and control hub. These servers recorded every URL users visited and issued commands to force redirects to fake websites or ad-heavy landing pages.

Next, the team analyzed the extension’s code more closely and uncovered matching fingerprints in several unrelated tools. These included weather widgets, emoji keyboards, video speed controllers and volume boosters. Although they appeared different on the surface, they shared underlying code and behavior.

HOW 432 ROBOTS ARE RELOCATING A 7,500-TON HISTORIC BUILDING

Together, these extensions reached over two million installations. To avoid detection, the attackers used separate branding and categories for each one, making it difficult for marketplace monitors to spot patterns. Even more concerning, many of the extensions carried a verified badge, which shows how attackers manipulated automated review systems using malicious version updates.

Full list of dangerous Chrome and Edge extensions to uninstall now

The first priority for affected users is immediate removal of the listed extensions, followed by thorough cache clearing and full system scans. Check your computer to see if you have any of these malicious extensions, and if you do, get rid of them. 

• Emoji keyboard online (Chrome)
• Free Weather Forecast (Chrome)
• Unlock Discord (Chrome)
• Dark Theme (Chrome)
• Volume Max (Chrome)
• Unblock TikTok (Chrome)
• Unlock YouTube VPN (Chrome)
• Geco colorpick (Chrome)
• Weather (Chrome)
• Flash Video Player (Chrome)
• Unlock TikTok (Edge)
• Volume Booster (Edge)
• Web Sound Equalizer (Edge)
• Header Value (Edge)
• Flash Player (Edge)
• YouTube Unblocked (Edge)
• SearchGPT (Edge)
• Unlock Discord (Edge)

Immediate actions you should take

If you have any of the extensions linked to the RedDirection campaign installed, take these steps right away to protect your data and devices:

• Remove all affected extensions immediately from both Chrome and Edge browsers.
• Clear your browser data to eliminate stored tracking identifiers.
• Run a full system malware scan using reputable antivirus software to detect any additional threats.
• Monitor your online accounts closely for any unusual or suspicious activity, especially if you accessed sensitive sites while the extensions were active.
• Review all your installed extensions for any suspicious behavior or unknown origins, and remove anything you don’t recognize or trust.

6 ways you can protect yourself from malicious extensions

1) Check your accounts for unusual activity: If you accessed sensitive sites (like online banking) while the extension was active, review those accounts for suspicious behavior and change your passwords immediately. Consider using a password manager, which securely stores and generates complex passwords, reducing the risk of password reuse. 

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com/Passwords

2) Enable two-factor authentication (2FA): Add an extra layer of security to your accounts by turning on 2FA wherever it’s supported. It can prevent unauthorized access even if your password is compromised.

3) Use strong antivirus software: Even though these malicious extensions come from official stores and update automatically, strong antivirus software can help detect suspicious activities such as hidden trackers, injected scripts or unauthorized redirects. Antivirus adds a crucial layer of protection by scanning for threats that browsers alone might miss, but it should be combined with safe browsing habits for best results.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at CyberGuy.com/LockUpYourTech

4) Reset your browser settings: Restoring your browser to its default state can reverse unwanted changes to your homepage, search engine or other settings.

5) Watch for security alerts: Keep an eye on your email and texts for login warnings or access alerts from services you use. These can help you spot unauthorized activity early.

6) Use a browser with extension permission controls: Some browsers let you limit what data extensions can access (e.g., “only on click” or “only on specific sites”). This can reduce the risk of future attacks.

Kurt’s key takeaway

Browser extensions can be helpful, but they also carry hidden risks. As this case shows, even trusted tools from official stores can turn malicious without warning. That is why it pays to stay alert, review your extensions regularly, and use strong antivirus protection. A few simple habits can go a long way in keeping your browser and your personal data safe.

Do you rely on ratings and reviews when choosing extensions, or do you dig deeper?  Let us know by writing us at Cyberguy.com/Contact

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM/NEWSLETTER

Copyright 2025 CyberGuy.com.  All rights reserved.