The Escalating Threat of Malicious Browser Extensions: How to Protect Your Organization

Browser extensions are part of modern tooling that organizations and users make use of to access SaaS services via web browsers. They provide extended functionality for users accessing web-based solutions. However, as of late, browser extensions have been front and center of major security incidents, leading to data leaks, and other unwanted exposure. Let’s take a look at this latest development in a list of ongoing browser extension breach events that started with the Cyberhaven attack in December and have evolved in scope since.

The February 2025 Chrome Extension Breach: A Continuation of the Cyberhaven Attack

Recently, in February 2025, 16 commonly used Chrome extensions were discovered by GitLab’s Threat Intelligence team to have contained malicious code. It appears to be a continuation of, or closely related to, the Cyberhaven attack which was discovered in December 2024. The December incident involved 35 Chrome extensions found to have been compromised, collectively affecting millions of users. The new breach includes a cluster of 16 malicious Chrome extensions. It calls into question the safety of browser extensions and the need for enhanced security measures.

How Malicious Browser Extensions are Exploited

Attackers look to have gained control of the 16 Chrome extensions using a combination of purchasing the extensions from the original developers or by compromising developer accounts. Once they gained access to the extensions, they injected malicious JavaScript code that connected to a remote server to receive commands. 

The malicious code of the extensions disabled Content Security Policy (CSP) rules in the browser, which allowed unauthorized script execution on websites users visited. With the malicious script execution, attackers were able to carry out advertising fraud and search engine manipulation.

High-level permissions

The malicious extensions were engineered by attackers to request high-level permissions in the browser that enabled them to carry out various components of the hack. Note the following permissions requested by the malicious extensions:

• Alarms
• declarativeNetRequest
• scripting
• storage
• webRequest
• host permission <all_urls>

With these permissions, the attackers were able to access and modify any website the user visited and inject malicious scripts, alter web requests, and manipulate browser interactions. This incident highlights why users and organizations should closely monitor the permissions requested by extensions. Excessive permissions can be a risk signal pointing to a compromised extension.

16 Recently Discovered Compromised Chrome Extensions

GitLab’s team identified a range of extensions that had been compromised, from ad blockers to screen capture tools. These extensions, once trusted, are now a significant threat to users. Below is a list of some of the affected extensions:

Extension Name	Extension ID	Functionality
Adblock for Chrome	cfhdojbkjhnklbpkdaibdccddilifddb	Ad Blocker
Adblock for YouTube	lcfdefmogcogicollfebhgjiiakbjdje	Ad Blocker
Adblocker for Chrome – NoAds	jfpmbokkdeapjommajdfmmheijclbodo	Ad Blocker
Blipshot	pkndmigholgfjllpeckpdbhhaikiipij	Screenshot Tool
Color Changer for YouTube	bpllcnbgdeomipgmemfhfjcclmpjfhif	YouTube Customizer
Emoji Keyboard – Emojis For Chrome	pmlghpafmmnmmkjdhacccolfgnbofhph	Emoji Keyboard
Emojis: Emoji Keyboard	jmjbgcjbgadmgmdaecjmnmfbjaehopnb	Emoji Keyboard
KProxy Extension	mpbjkejclgfgadiemmefgebjfooflfhl	Proxy Service
Mike Adblock für Chrome	bknpkfglkofmllgidlfbekfhgineeohf	Ad Blocker
Nimble Capture	pknkgggnfecklokoggaggchhaebkajji	Screen Capture
Page Refresh	gjjpophepkbhejnglcmkdnncmaanojkf	Auto Refresh
Super Dark Mode	clcbnchdpmjkkifnbnmmkgjblkojjjjk	Dark Mode Enabler
Themes for Chrome	fppiohdlapdfmeenohepfnlmgndogbgo	Browser Themes
Video Effects for YouTube	gmbmikajjgmnabiglmofipeabaddhgne	Video Enhancer
WAToolkit	nhcgjceoackgonjkkfgpbojacffjfgkh	WhatsApp Enhancer
Wistia Video Downloader	jokbpnebimcgllnjfkdclppnlcfgkngf	Video Downloader

Note: Information is sourced from GitLab’s Security Tech Notes.

These malicious extensions inject harmful scripts into browsers to conduct advertising fraud and manipulate search engine results, compromising the security of millions of users.

The Growing Threat of Malicious Extensions

We are seeing more and more news items related to data breach and malicious activity linked to browser extensions. The latest discovery of the 16 new malicious extensions by GitLab shows that attackers use many different techniques. However, this is not an isolated event. Note the following statistics:

• Over the past two years alone, more than 400 million users have downloaded at least one compromised browser extension
• 48% of browser extensions request excessive permissions. It means that when these extensions are installed, they have access to user data, browsing history, and even the ability to execute background scripts
• Approximately 35% of browser extensions fall into the high-risk category, meaning they have been flagged for potential credential theft, session hijacking, and data exfiltration
• A December 2024 report identified 35 compromised extensions, impacting millions of users and showcasing how attackers use phishing to steal developer credentials and push malicious updates  

These statistics highlight the ever-growing risks that are associated with browser extensions and the challenges in making sure these are secure.

Real-world Examples of Browser Extension Attacks

Malicious browser extensions are not just a recent development. Even prior to the recent events of December 2024 into February 2025, several high-profile browser extension compromises have caused real damage. Note the following examples:

• DataSpii (2019-2020) – Security researchers discovered that several widely used Chrome and Firefox extensions were silently harvesting browsing data from millions of users, exposing sensitive corporate information.
• The Great Suspender (2021) – This extension was originally a trusted add-on. However, it was later sold to an unknown party, who added malicious tracking and data exfiltration mechanisms. 
• 2024 Chrome Extension Breach: Attackers compromised developer accounts using phishing attacks. This allowed them to push malicious updates to 35 extensions, affecting over 3.7 million users globally. 

These attacks help to show that even once trusted extensions can become malicious over time. It emphasizes the need for continuous monitoring of extensions and enforcement of using only those extensions that align with organization’s security policies.

How Attackers Exploit Browser Extensions

Most of the time, malicious browser extensions are able to gain access to compromise extensions using legitimate means, often by simply publishing an extension to the store. An attacker may publish a malicious application that masquerades as a productivity tool, security add-on, or a plugin that has entertainment value. However, once the extension is installed, it may execute malicious commands that carry out nefarious tasks such as the following:

1. Stealing data – Masquerading as a legitimate extension, underneath the hood, it may collect usernames, passwords, browsing history, cached session tokens, and credit card information. All of this information can then be sent to remote servers controlled by hackers.
2. Session hijacking – Attackers can use malicious browser extensions to intercept web sessions and even manipulate these, allowing them the ability to take over online accounts and sensitive applications.
3. Fraudulent advertising and click hijacking – Malicious extensions have many capabilities that can inject unauthorized ads and redirect searches. Malicious browser extensions can also modify affiliate links to generate fraudulent revenue or redirect revenue to attacker’s accounts.
4. Account takeover attacks – If an extension has access to authentication cookies and session tokens, attackers can impersonate users on sensitive websites or other web resources.
5. Persistence – Attackers may try to add in built-in mechanisms to avoid detection. These may include disabling browser security settings, using encrypted command-and-control communications, or automatically reinstalling the extension if it gets uninstalled.

How Organizations Can Protect Themselves from Malicious Extensions

Security has often been described as “layers of an onion” or multi-layered approach. Organizations must adopt practices and methodologies along with the right technology tools to bolster security when it comes to browser extensions and SaaS apps. Note the following:

1. Continuous risk assessment

Monitoring all browser extensions used in the organization is a vital step to securing browser extension use. In addition to a simple inventory of extensions used in the environment, organizations must perform effective risk assessments. These risk assessments should include the permissions requested by each extension, known security vulnerabilities, and track all updates to the extension that could have malicious intent.

2. Automated extensions policies and enforcement

Rather than suggest that users should only install recommended extensions, companies need to introduce and enforce strict policies around which extensions users can and cannot install.

• Allow list only known, approved, and vetted browser extensions
• Block all high risk extensions or ones that request excessive permissions
• Block employees from installing extensions from unverified app sources

3. User education

Cybersecurity training should help users identify suspicious browser extensions and avoid installing extensions from untrustworthy sites. Training should cover:

• Identifying red flags – These may include excessive permissions or unexpected updates
• Using trusted sources – Downloading extensions only from trusted sources
• What to do if an extension is compromised – As part of the response procedures, what should users do if they suspect an extension has been compromised or notice unusual activity or behavior from their device

4. Modern cybersecurity tools

Implement tools like SpinSPM (SaaS Security Posture Management) to automate risk assessments, monitor behaviors, and enforce security policies.

Spin.AI: A Solution to Mitigate Browser Extension Risks

Spin.AI offers advanced tools like SpinSPM, which helps organizations automate risk assessments of browser extensions and monitor suspicious activities. With SpinSPM, organizations can enforce security policies and manage risks associated with extensions, ensuring compliance and safeguarding data.

• Automated risk assessments – Spin.AI can execute real-time evaluations of browser extensions to help detect and mitigate potential threats. 
• Continuous monitoring – Organizations need to monitor browser extensions used by end users to detect any changes in behaviors. Admins and SecOps can use Spin.AI to identify and automatically respond to suspicious activities quickly.
• Policy enforcement – Using Spin.AI, organizations can create security policies that control browser extension installations and permissions based on a machine-learning generated risk score. This risk score is autogenerated based on no less than 15 risk indicators and can be used to enforce compliance with organizational policies.

Additionally, SpinMonitor, a free extension security checker, allows organizations, including admins and security teams and individual users to assess the risks associated with installed browser extensions.

Wrapping up

With the number of malicious browser extensions growing, it leads to a clear danger affecting data of both individuals and organizations alike. Cybercriminals know that businesses are increasingly using SaaS-based applications accessed using a browser. With that, users are spending more time in the browser than ever, including using browser extensions.

Businesses must adopt continuous risk assessments and enforce strict extension policies, in addition to training their employees and using technology solutions. Spin.AI is a solution that helps to protect sensitive data from threats posed by compromised browser extensions.Be sure to explore Spin.AI’s new App Risk Time Savings Calculator and discover how much time your organization can potentially save with the SpinSPM solution.