A group of malicious extensions in Google's Chrome Web Store managed to slip through undetected, racking up no less than 1.7 million downloads. The problem? Although they appeared harmless, they could actually track your online activity, steal your browsing history, and even redirect you to dangerous sites without you realizing it.
What's most concerning is that many of these extensions did what they promised: they worked as color pickers, VPNs, volume boosters, or emoji keyboards, which made them seem completely legitimate.
Although some of these extensions have already been removed, several are still active in the store, so it's very possible that millions of users still have them installed without knowing the risk they're taking.
Two Chrome extensions with tracking code (Source: BleepingComputer)
The most alarming thing is that many of these extensions seemed completely trustworthy: they were verified by Google, had lots of positive reviews, and even appeared high in the Chrome Web Store rankings. All of this led users to trust them without imagining that they could be compromising their privacy.
If you use Chrome, we recommend that you check if you have any of these extensions installed and remove them as soon as possible:
One of these extensions, “Volume Max – Ultimate Sound Booster,” was already mentioned last month by LayerX researchers, who warned that it could spy on users. At the time, nothing malicious could be confirmed, but now it is back under scrutiny.
Risky Chrome extension flagged by security teams
Read more: How to Keep Your Phone Safe Even Without Updates
According to researchers, the trick was in what happened behind the scenes. Each extension had a component that ran in the background (something like an “invisible assistant”) using a Chrome feature that allowed it to discreetly spy on what you were doing in the browser.
Every time you opened a web page, this “listener” was activated and captured the URL you were visiting. That information, along with a unique identifier that allowed each user to be tracked individually, was sent to a server controlled by the attackers.
And then? That server could respond with a new URL, automatically redirecting you to another page without you doing anything. This opened the door to possible redirects to fake sites, with misleading ads or even pages designed to carry out cyberattacks.
An important detail is that the malicious code was not in the first versions of these extensions. At first, they were harmless and did what they promised. But at some point, through an update, the dangerous behavior was introduced.
The worrying thing is that Chrome updates extensions automatically and without asking for permission, so millions of people could be using newer, more dangerous versions without knowing it.
This has led to speculation that some of these extensions were compromised: either because the original developers were hacked or because they sold their extensions to third parties who then added the malicious code.
The problem is not limited to Chrome. The same malicious extensions were also found available in the official Microsoft Edge store, with a total of more than 600,000 additional downloads. This shows that the scope of this campaign has been quite broad.
Combining both browsers, more than 2.3 million people have installed one of these compromised extensions. This is one of the largest browser hijacking operations detected to date.
Read more: Patch Tuesday July 2025: Microsoft Fixes 137 Vulnerabilities
If you suspect that you may have installed one of these extensions (even if it is no longer active), it's best to act as soon as possible. Here are some recommended steps:
Immediately remove any suspicious extensions from the Chrome or Edge extensions panel (chrome://extensions/ or edge://extensions/).
Clear your browsing data, including history, cookies, and cache. This helps remove any identifiers that may have been saved.
Run a full scan of your computer with an up-to-date antivirus program or a reliable malware detection tool.
Check your accounts (email, social media, banks, etc.) for any unusual activity or unauthorized access.
Enable two-step authentication on your most important accounts as an additional security measure.
Incidents like this remind us that even the most popular or seemingly legitimate extensions can hide risks. The best defense is to stay informed and regularly review what we have installed on our devices.