Cyber Blog

Security researchers have uncovered a widespread campaign involving malicious browser extensions on the Google Chrome platform that are designed to steal sensitive information from users and organizations. These extensions, many of which were disguised as legitimate productivity tools or AI assistants, are capable of siphoning off email content, business analytics, two-factor authentication details, and users’ browsing histories.

The attackers used social engineering and familiar branding to convince users to install add-ons that appeared useful but were in fact engineered to harvest data in the background. Some of the malicious extensions employed injected iframe techniques, loading remote content into webpages to monitor user activity and transmit information back to attacker-controlled servers. Certain variants specifically targeted business users by attempting to extract data from platforms such as Meta Business Suite and Facebook Business Manager, including advertising analytics, account details, and contact lists. The campaign reportedly reached hundreds of thousands of installations before the extensions were identified and removed.

Because browser extensions often request broad permissions to read and modify website data, they can become powerful surveillance tools when abused. In this case, the malicious add-ons leveraged those permissions to quietly intercept session tokens, capture authentication data, and maintain persistent access even after users logged out of certain services. Security experts warn that such threats highlight systemic weaknesses in the browser extension ecosystem, where automated review processes may fail to detect harmful updates after an extension is initially approved. Users and organizations are advised to regularly audit installed extensions, limit permissions to only what is necessary, and implement additional security controls such as endpoint monitoring and multi-factor authentication to reduce the risk of compromise.