January 2, 2025
When Good Extensions Go Bad: Takeaways from the Campaign Targeting Browser Extensions
News has been making headlines over the weekend of the extensive attack campaign targeting browser extensions and injecting them with malicious code to steal user credentials. Currently, over 25 extensions, with an install base of over two million users, have been found to be compromised, and customers are now working to figure out their exposure (LayerX, one of the companies involved in

Dec 30, 2025The Hacker NewsBrowser Security / GenAI Security

News has been making headlines over the weekend of the extensive attack campaign targeting browser extensions and injecting them with malicious code to steal user credentials. Currently, over 25 extensions, with an install base of over two million users, have been found to be compromised, and customers are now working to figure out their exposure (LayerX, one of the companies involved in protecting against malicious extensions is offering a complimentary service to audit and remediate organizations’ exposure – to sign-up click here).

While this is not the first attack to target browser extensions, the scope and sophistication of this campaign are a significant step up in terms of the threats posed by browser extensions and the risks they pose to organizations.

Now that details of the attack have been publicized, users and organizations need to assess their risk exposure to this attack and to browser extensions in general. This article is aimed at helping organizations understand the risk posed by browser extensions, the implications of this attack, and actionable steps they can take to protect themselves (for an in-depth overview, see a detailed guide on protection against malicious browser extensions).

Browser Extensions Are the Soft Underbelly of Web Security

Browser extensions have become a ubiquitous part of the browsing experience, and many users often use such extensions to fix their spelling, find discount coupons, pin notes, and other productivity uses. However, most users don’t realize that browser extensions are routinely granted extensive access permissions that can lead to severe data exposure should those permissions fall into the wrong hands.

Common access permissions requested by extensions include access to sensitive user data such as cookies, identities, browsing data, text input, and more, which can lead to data exposure on the local endpoint and credential theft of user identities.

This is particularly a risk to organizations since many organizations do not control what browser extensions users install on their endpoints, and credential theft of a corporate account can lead to exposure and a data breach at the organizational level.

A New, More Dangerous Threat:

Although the fallout from this attack campaign is still unfolding, and compromised extensions are still being discovered, there are a number of takeaways that can already be noted:

  1. Browser Extensions are Becoming a Major Threat Surface. This campaign targeting multiple extensions demonstrates that hackers are taking notice of the extensive access granted to many permissions and the false sense of security that many users are operating under, and are explicitly targeting browser extensions as vehicles for data theft.
  2. GenAI, Productivity, and VPN Extensions Were Particularly Targeted: The list of impacted extensions indicates that extensions that deal with VPN, data processing (such as note-taking or data security, or AI-enabled extensions) were mainly targeted. It’s too early to tell whether this is because these extensions tend to be more popular (and therefore more appealing for an attacker in terms of reach), or due to the permissions that these extensions are granted that attackers want to exploit.
  3. Public Extensions in the Chrome Store are Exposed. It appears that extensions were compromised as a result of a phishing campaign targeting the publishers of browser extensions on the Chrome Web Store. The details on who to target were apparently collected from the Web Store itself, which includes details of the extension author, including their email address. While the Chrome Web Store is the best-known source for extensions, it is not the only one, and some enterprise-grade extensions are deployed directly.

How To Protect Your Organization:

While many users and organizations are not aware of the potential risks associated with browser extensions, there are a number of key actions they can take to protect themselves:

  1. Audit all extensions: Many organizations don’t have a full picture of all extensions that are installed in their environment. Many organization allow their users to use whichever browsers (or browsers) they wish to use, and install whatever extensions they want. However, without a full picture of all extensions on all browsers of all users, it is impossible to understand your organization’s threat surface. This is why a full audit of all browser extensions is a foundational requirement for protecting against malicious extensions.
  2. Categorize extensions: As this attack campaign – that primarily targeted productivity, VPN, and AI extensions – demonstrates, some extension categories are more susceptible to vulnerability than others. Part of this is the popularity of certain types of extensions that makes them appealing to attack because of their broad user base (such as various productivity extensions), and part of it is because of the permissions granted to such extensions, that hackers may wish to exploit (such as access to network and browsing data given to VPN extensions, for example). This is why categorizing extensions is a useful practice is assessing the browser extension security posture.
  3. Enumerate extension permissions: While understanding which extensions are installed in corporate environments is one side of the coin, the other side of the coin is understanding what those extensions can do. This is done by enumerating their precise access permissions and listing all the information they can potentially access.
  4. Assess extension risk: Once they understand what permissions they have installed on corporate endpoints and the information that these extensions can touch (via their permissions), organizations need to assess the risk posed by each individual extension. A holistic risk assessment should encompass both the permission scope of the extension (i.e., what it can do), as well as external parameters such as its reputation, popularity, publisher, install method, and more (i.e., how much we trust it). These parameters should be combined into a unified risk score for each extension.
  5. Apply adaptive, risk-based enforcement: Finally, taking into consideration all the information they have at hand, organizations should apply adaptive, risk-based enforcement policies tailored to their uses, needs and risk profile. They can define policies to block extensions that have certain permissions (e.g., access to cookies), or define more complex rules tailored to their specific use case (e.g., block AI and VPN extensions with a ‘High’ risk score).

While browser extensions offer many productivity benefits, they also expand organizations’ threat surface and risk of exposure. The recent attack campaign targeting browser extensions with malicious code should be a wake-up call for organizations to define their approach to protecting against malicious and compromised browser extensions.

Click here to download a comprehensive guide on protecting against malicious browser extensions to help organizations fully understand the threat, why existing solutions don’t provide adequate coverage, and how they can protect themselves.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

New “DoubleClickjacking” Exploit Bypasses Clickjacking Protections on Major Websites New

New “DoubleClickjacking” Exploit Bypasses Clickjacking Protections on Major Websites

Iranian and Russian Entities Sanctioned for Election Interference Using AI and Cyber Tactics Iranian and Russian Entities Sanctioned for Election Interference Using AI and Cyber Tactics

Iranian and Russian Entities Sanctioned for Election Interference Using AI and Cyber Tactics

Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents

Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents

New U.S. DoJ Rule Halts Bulk Data Transfers to Adversarial Nations to Protect Privacy New U.S. DoJ Rule Halts Bulk Data Transfers to Adversarial Nations to Protect Privacy

New U.S. DoJ Rule Halts Bulk Data Transfers to Adversarial Nations to Protect Privacy

You may have missed

X Will Offer Streaming and Financial Services in 2025, Says CEO X Will Offer Streaming and Financial Services in 2025, Says CEO

X Will Offer Streaming and Financial Services in 2025, Says CEO

OnePlus 13 Series: A Sneak Peek at the Next Big Thing OnePlus 13 Series: A Sneak Peek at the Next Big Thing

OnePlus 13 Series: A Sneak Peek at the Next Big Thing

OpenAI’s AI Training Opt-Out Tool for Creators Might Be Delayed OpenAI’s AI Training Opt-Out Tool for Creators Might Be Delayed

OpenAI’s AI Training Opt-Out Tool for Creators Might Be Delayed

Vivo X200 Ultra Design Revealed via Alleged Render; Specifications Tipped Vivo X200 Ultra Design Revealed via Alleged Render; Specifications Tipped

Vivo X200 Ultra Design Revealed via Alleged Render; Specifications Tipped

Redmi 14C 5G Price in India, Chipset Details Tipped Ahead of Launch Redmi 14C 5G Price in India, Chipset Details Tipped Ahead of Launch

Redmi 14C 5G Price in India, Chipset Details Tipped Ahead of Launch

Facebook and Instagram Might Soon be Filled With AI Users Facebook and Instagram Might Soon be Filled With AI Users

Facebook and Instagram Might Soon be Filled With AI Users