In early 2026, cybersecurity researchers unveiled a new wave of malicious browser extensions affecting Google Chrome (and compatible browsers like Microsoft Edge). These extensions were engineered to harvest user credentials — including login details for email, cloud services, and enterprise portals — by injecting deceptive interfaces into web pages. The research identified 30 distinct extensions that together had been installed by over 260,000 users, highlighting the ongoing threat posed by seemingly innocuous add-ons in browser extension ecosystems.

How These Extensions Operate

At a technical level, the threat revolves around a deceptive use of browser extension capabilities and remote-hosted iframes:

• Each malicious extension renders a full-screen iframe overlay on legitimate webpages. This iframe appears to users as part of the extension’s interface.
• Because the overlay content is hosted remotely (outside the extension package), it bypasses static review checks that app stores perform on extension code before publication.
• When users interact with these overlays — for example, entering login details — the input is captured and exfiltrated to attacker-controlled servers.

To evade remediation and blocking, attackers used extension spraying — the practice of publishing multiple variants of essentially the same extension under different names and unique identifiers. This makes automated detection and takedown more difficult and allows attackers to re-publish new variants if one is removed.

Understanding Extension Identifiers

Browser extensions in Chrome and Chromium-based browsers are tied to a 32-character unique identifier. Unlike the extension name — which can be changed at any time — this ID remains fixed even if the extension is renamed or resubmitted. This makes IDs a reliable way to distinguish malicious extensions from legitimate ones.

Step-By-Step Detection

1. List Installed Extensions

To inspect installed extensions:

1. Open Chrome (or Edge) and enter the following in the address bar: chrome://extensions/
2. On the extensions page, you’ll see all currently installed extensions by name.
3. Enable Developer Mode (toggle in the top-right). This will display each extension’s unique ID next to the name.

At this point, you can compare the displayed IDs against known malicious IDs (security researchers often publish such lists) to spot suspicious entries.

2. Manual Removal via the Browser UI

Once a suspicious extension is identified:

• Click Remove next to the extension listing.
• Confirm the removal in the prompt that appears.

If the extension disappears and stays gone after restarting the browser, the removal was successful.

3. Extensions That Can’t Be Removed Normally

In some cases:

• The Remove option may be missing.
• The browser may indicate the extension was installed by an administrator.
• The extension may reappear after a restart.

These symptoms suggest the extension may be force-installed via policy settings (e.g., enterprise policy or Group Policy Objects on Windows) or driven by additional malware on the system. In these scenarios, removal through the browser alone is typically insufficient.

Alternate Technical Inspection

If a browser-based removal fails, extensions can be located directly in the filesystem:

• On Windows, Chrome stores installed extension files in: C:\Users\<your-username>\AppData\Local\Google\Chrome\User Data\Default\Extensions
• You can view hidden folders by enabling Hidden items in Windows Explorer’s View options.

While deleting the extension’s folder from the filesystem removes the files, it leaves an orphaned entry in the browser’s extension list. The icon disappears, but the extension name may still be listed. Therefore, removal via the browser interface is generally preferable whenever possible.

What Makes These Threats Dangerous

Malicious extensions — particularly those designed for credential theft — leverage the same APIs and extension permissions that legitimate extensions use for useful features. Once installed, they can:

• Monitor webpage content
• Inject overlays or UI elements
• Capture typed credentials or session tokens
• Send harvested data to remote endpoints

As previous research has shown, extensions may also be modified after publication or impersonated through fake “productivity” or “AI-powered” tools, turning a trusted add-on into spyware without immediate detection.

Best Practices to Limit Exposure

To reduce the risk of malicious extensions:

• Audit installed extensions regularly and remove any you don’t recognize.
• Only install extensions from reputable developers and read reviews.
• Be especially cautious with extensions requesting broad permissions, such as access to all browsing activity.
• When possible, use enterprise policies (for corporate devices) to whitelist approved extensions.
• Consider using solutions like browser security tools or endpoint protection that can flag or block malicious add-ons.