Chrome extensions stealing data have become a widespread security crisis. Researchers have flagged over 108 malicious extensions infecting thousands of users and siphoning sensitive data and session information, with evidence pointing to a single actor possibly of Russian origin.
Key Takeaways
- Over 108 malicious Chrome extensions were discovered stealing user data from thousands of accounts.
- A coordinated campaign called AiFrame deployed 32 AI-themed extensions with over 260,000 combined installs.
- Malwarebytes identified 30 credential-stealing extensions affecting over 260,000 users using “extension spraying” tactics.
- Kaspersky found 57 suspicious extensions with over 6 million users requesting excessive permissions.
- Google has removed confirmed malicious extensions, but new variants continue appearing in the Web Store.
The Scale of Chrome Extensions Stealing Data
The threat is far larger than any single discovery. Security researchers have uncovered multiple coordinated campaigns targeting Chrome users through the official Web Store. The AiFrame cluster alone deployed 32 AI-themed browser add-ons—summarization tools, chat assistants, writing helpers, and Gmail aids—that collected over 260,000 installs while siphoning sensitive data. Meanwhile, a separate analysis found 287 Chrome extensions exfiltrating browsing history to data brokers like Similarweb and Alexa, reaching 37.4 million installs—roughly 1 percent of the global Chrome user base.
Kaspersky’s investigation uncovered 57 suspicious extensions with over 6 million users, many hidden from search results and requesting mismatched permissions for cookies, tracking, search engine hijacking, and script injection. Malwarebytes identified 30 extensions stealing credentials from over 260,000 users, employing a technique called “extension spraying”—releasing the same malicious code under different names and IDs to evade detection. These extensions often rendered full-screen remote iframes, giving attackers control over what users saw on their screens.
How Attackers Hide Malicious Chrome Extensions Stealing Data
Malicious extensions use several deceptive tactics to avoid detection. Many masquerade as legitimate tools—AI assistants, productivity helpers, or proxy services—while secretly harvesting credentials and session cookies. The CL Suite extension (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), uploaded in March 2025, scraped data directly from Meta Business Suite and Facebook, removed two-factor authentication pop-ups, and generated 2FA codes for attackers. It infected only 33 users before removal, but demonstrated the sophistication of these attacks.
The RedDirection campaign deployed 18 extensions across Chrome and Edge browsers, affecting 2.3 million users. These extensions monitored browsing activity and hijacked traffic through silent updates, making it nearly impossible for users to detect the compromise. Phantom Shuffle, a two-extension operation active since 2017, posed as proxy tools for foreign trade workers while hijacking traffic from over 170 domains including development platforms, cloud services, and social networks. Users paid subscription fees ranging from $1.40 to $13.60 monthly, never knowing their traffic was being intercepted.
Excessive permission requests are a red flag. Attackers request access to cookies, site data, search engine settings, and script injection capabilities—far more than legitimate tools need. Carnegie Mellon researchers discovered that 20 suspicious extensions were modified after attackers phished developers’ credentials, turning legitimate tools into data-harvesting weapons. Others embedded tracking pixels through third-party libraries, making the malicious behavior nearly invisible in code reviews.
Chrome Extensions Stealing Data vs. Legitimate Alternatives
The contrast between malicious and genuine tools reveals how attackers exploit user trust. Real productivity extensions like legitimate AI summarizers or Gmail helpers request only the permissions they genuinely need—access to specific sites and basic data. Malicious variants request blanket access to all sites, cookies, and browser history. A suspicious “antivirus” extension called Browser Checkup for Chrome by Doctor exemplifies this deception: it claims to protect users while actually enabling tracking and data collection.
Google has removed confirmed malicious extensions when discovered, including Phantom Shuffle and the credential-stealing variants identified by Malwarebytes. However, the sheer volume of new malicious submissions—and the speed at which attackers redeploy variants—means the Web Store remains a battleground. The AiFrame cluster and RedDirection campaign both launched in 2025 or 2026, showing that attackers continue refining their methods despite previous takedowns.
How to Protect Yourself From Chrome Extensions Stealing Data
Users should audit their installed extensions immediately. Check your Chrome extensions list (chrome://extensions) and remove anything you do not recognize or no longer use. Be especially suspicious of AI tools, productivity helpers, and security utilities that appeared suddenly or lack clear developer information. If an extension requests access to all sites, cookies, and browser history, uninstall it unless you have a specific reason it needs such access.
Before installing any extension, check the developer’s history and user reviews. Malicious extensions often have vague descriptions, no clear use case, or recent upload dates. Look for extensions with thousands of reviews—they are more likely to be legitimate. Avoid extensions from unknown developers, and verify that the extension name matches what you expect; attackers often use misspellings or similar-sounding names to trick users.
Consider using Chrome’s security features. Enable Safe Browsing in settings to block known malicious extensions. Regularly update Chrome to patch vulnerabilities that attackers exploit to inject malicious code. If you suspect you have installed a malicious extension, change your passwords immediately, enable two-factor authentication on important accounts, and monitor your accounts for unauthorized activity.
Why Does Google’s Web Store Still Host Malicious Extensions?
Google’s review process, while automated and manual, cannot catch every malicious extension before it reaches users. Attackers obfuscate their code, use legitimate-looking names, and sometimes activate malicious behavior only after an extension accumulates enough users. The extension spraying technique—releasing dozens of variants with minor changes—overwhelms detection systems. By the time one variant is removed, five others are already live under different names.
The sheer volume of submissions makes comprehensive vetting impossible. Millions of extensions exist in the Chrome Web Store, and new ones arrive constantly. Google relies on user reports and security researchers to identify threats, creating a reactive rather than proactive defense. This means users are often the first line of detection—and by then, their data may already be compromised.
What should I do if I installed a suspicious Chrome extension?
Remove it immediately from chrome://extensions. Change your passwords for email, banking, and other sensitive accounts, especially if the extension had access to cookies or site data. Enable two-factor authentication on all important accounts if you have not already. Monitor your accounts for unauthorized login attempts or suspicious activity over the next few weeks.
Can Chrome extensions see my passwords?
Extensions with broad permissions can access cookies and session data, which may include authentication tokens, but not passwords stored in Chrome’s password manager unless the extension explicitly requests that permission. However, an extension can monitor your login activity, capture form data before submission, or hijack your login process entirely, effectively giving attackers access to your accounts.
How do I check if an extension is safe before installing?
Review the developer’s name and website, read recent user reviews carefully, check the extension’s requested permissions against its stated purpose, and verify the number of users. Extensions with hundreds of thousands of active users and consistent positive reviews are generally safer than newly released tools from unknown developers with vague descriptions.
Chrome extensions stealing data represent a fundamental weakness in how browser add-ons are distributed and monitored. While Google removes malicious extensions when discovered, the attack surface remains enormous. Users cannot rely solely on the Web Store’s security—they must actively audit their installed extensions, scrutinize permissions, and stay vigilant about account security. The 108 flagged extensions and millions of affected users show that malicious actors view the Chrome ecosystem as fertile ground for data harvesting. Protecting yourself requires skepticism and action.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
