If you’ve ever installed a Chrome or Edge extension to boost productivity or add convenience to your browser, like picking colors, blocking ads, or speeding up videos, you may want to double check what’s lurking in your extensions list.
Recently, cybersecurity firm Koi Security revealed a massive campaign where 18 browser extensions, once completely safe and trusted, were secretly transformed into tools for spying and redirecting users to dangerous sites. More than 2.3 million users were affected without ever clicking on a phishing email or downloading a sketchy file.
What Went Wrong?
These were not random, poorly rated extensions from shady developers. Many had glowing reviews, verification badges, and thousands of downloads. Some were even featured in the official web stores. They worked exactly as promised until one day they did not.
A silent update turned them into browser hijackers. Users did not need to click anything new or accept new permissions. The malicious code was added through a normal version update, exploiting the way browsers handle trusted extensions.
What the Malware Actually Did
Once the update was installed, every time a user visited a website, the extension quietly captured the site URL and sent it to a remote server controlled by the attackers. From there, the malware could redirect users to phishing pages, fake login screens, or infected downloads without warning.
To make matters worse, the malware was cleverly hidden. While it collected data and hijacked browser activity, the extensions continued doing their advertised job, such as adjusting video playback or enabling dark mode, so users remained unaware.
Known Malicious Extensions
Some of the compromised tools included:
- Chrome Extensions:
- Color Picker Eyedropper Geco colorpick
- Emoji Keyboard Online
- Volume Max Ultimate Sound Booster
- Unlock YouTube VPN
- Free Weather Forecast
- Edge Extensions:
- Flash Player Games Emulator
- SearchGPT ChatGPT for Search Engine
- Unlock TikTok
- Web Sound Equalizer
Though these specific extensions have since been removed from official stores, some attacker controlled servers remain active, posing an ongoing threat.
How to Protect Yourself
If you suspect you may have used any of these tools, or just want to be proactive, here is what security experts recommend:
- Remove any suspicious or unnecessary extensions immediately
- Clear your browsing data, including cache, cookies, and history
- Reset your browser settings to default to wipe out any hidden changes
- Change your passwords, especially for accounts accessed while the extension was installed
- Enable two factor authentication for an added layer of security
- Run a full system antivirus scan to catch any hidden malware
- Be skeptical of extensions that suddenly ask for new permissions after an update
Why This Matters
This is not just a one time scare. The technique used here, known as extension hijacking, is becoming more common. Attackers sometimes buy out legitimate extensions or infiltrate developer accounts, then push malicious updates to a large user base under the radar.
Even popular and verified extensions are not immune. Your best defense is regular review and cleanup of your browser’s add ons and being cautious of tools that ask for more access than they need.
Final Thoughts
What happened here is a chilling reminder that even tools we trust can be flipped against us. As browser extensions become more powerful, they also become more attractive targets for cybercriminals. Staying informed and skeptical is key, but so is having the right support.
That is where Skyriver IT can help. Our team provides proactive IT security services, including regular system audits, and employee cybersecurity training. We help businesses detect threats early, secure their digital environments, and stay compliant with best practices.
If you are unsure whether your systems are secure or if your team is at risk from attacks like these, Skyriver IT can conduct a comprehensive security review and help you take preventive action before damage is done.
Your browser is the gateway to your business’s online activity. Treat it like the front door to your digital life and make sure it is locked with the right expertise behind it.
