Malicious Browser Extensions Infect 2.3 Million Users
Learn how attackers bypassed security checks, why browsers are emerging as a top threat vector, and how to defend your organization.
What Happened: Researchers have discovered a large browser-hijacking campaign infecting over 2.3 million users on Chrome and Edge. Attackers used 18 malicious browser extensions, available on both Microsoft and Google’s web stores, to track activity and redirect users to malicious sites.
A Deep Dive Into The Malicious Browser Extension Attack:
These malicious browser extensions all offered and performed legitimate functions, from color pickers to weather forecasts and VPN proxies. The extensions appeared trustworthy, receiving positive user reviews, verification badges, and features on both Microsoft and Google’s extension stores.
Initial versions of these extensions were likely benign. However, threat actors introduced malicious code via version updates that were not flagged by Microsoft or Google’s security reviews. There was no phishing or social engineering required; instead, these trusted browser extensions were updated quietly.
Malicious code in these extensions directed captured browser data to attacker-controlled servers and redirected users to phishing sites, increasing the risk of credential theft and malware delivery
The most prevalent infected extensions included common services like weather forecasts, dark themes for chrome, and screen color picker. These extensions represent almost 70% of user installs.
Why This Matters:
Supply-chain compromise via browser-based vectors are on the rise: Threat actors are leveraging browser-based attacks to gain a foothold in development environments and inject malicious code into downstream ecosystems. The December 2024 Cyberhaven breach is a notable example, in which cybercriminals distributed a malicious Chrome extension that exfiltrated session tokens and other sensitive data.
Taking a Step Back:
Browsers are the new attack surface: Over 80% of work happens in the browser, making it the primary interface through which employees access SaaS applications and sensitive organizational data. As a result, they’ve become a high-value target for threat actors seeking entry points into corporate environments.
Traditional security tools have no visibility into browser-based attacks: Defenses including email security, endpoint protection, and network monitoring all focus on areas that miss modern attack vectors. Cybercriminals are taking advantage of this browser blind spot, leveraging techniques from man-in-the-middle phishing kits to malicious extensions to gain access.
How to Protect Against Malicious Browser Extensions:
General Strategies:
Audit existing extensions deployed across the organization
Given that we’re observing compromise of existing extensions, regularly review these extensions and develop plans to respond to compromise
Implement an extension policy, ideally with an allowlist of approved extensions. Ensure that reviews include an understanding of extension publisher and permissions
Implement strong controls to protect users, including browser-based controls to detect credential compromise, strong MFA, and regular user training
For Obsidian Customers:
Navigate to the Browser Apps section in Extend to see a full inventory of all browser extensions installed in your environment
Sort by risk level and permissions to understand which extensions might be risky. Obsidian will also provide user information so security teams understand the impact of a security event.
