Your Browser Extensions Are Watching You: The Hidden Threat Most People Never Check

I want to tell you about something that happened in December 2025, because it illustrates a threat that almost nobody takes seriously enough.

Security researchers discovered that a group they call DarkSpectre had been running malicious browser extensions across Chrome, Edge, and Firefox — for over seven years. The extensions had names like "Google Translate in Right Click," "Ads Block Ultimate," "YouTube Download," and "Free VPN Forever." They worked exactly as advertised. They had good reviews. Some had been in the official Chrome Web Store for five years or more before they turned malicious.

Then, through silent updates, the extensions were weaponized. They began tracking browsing behavior, hijacking search results, stealing affiliate revenue, injecting tracking code, and in some cases, harvesting cookies that could be used for session hijacking. Across three coordinated campaigns — ShadyPanda, GhostPoster, and Zoom Stealer — over 8.8 million users were affected.

The extensions didn't set off alarms because they had years of legitimate history behind them. They'd built trust through normal operation, accumulated genuine reviews, and achieved significant download numbers. Some had even earned Google's "Featured" badge — a quality indicator that users reasonably treat as an endorsement.

And this isn't an isolated incident. In February 2026, researchers found Chrome extensions impersonating AI tools that were stealing entire ChatGPT and DeepSeek conversation histories — over 900,000 downloads. Another extension posing as a Meta Business Suite tool was silently exfiltrating two-factor authentication codes and business analytics data. A pair of extensions disguised as proxy tools had been spying on users since 2017.

Browser extensions are the most under-examined security risk on most people's computers. And unlike malware that requires you to download a suspicious file or visit a dangerous website, these threats come from official stores, with good reviews, doing exactly what they promise — while silently stealing your data in the background.

Why Browser Extensions Are So Dangerous

To understand the threat, you need to understand what browser extensions actually are and how much access they have.

A browser extension runs inside your browser with a level of access that most people don't appreciate. Depending on the permissions it requests, an extension can read and modify every web page you visit. It can see the URLs of every site you navigate to. It can read form data you enter — including usernames, passwords, and credit card numbers. It can access your cookies, which means it can potentially hijack your active sessions on any website. It can modify what you see on a page, injecting content or changing existing content. It can communicate with external servers, sending your data anywhere.

When you install an extension and grant it permission to "Read and change all your data on all websites," you're giving it access to essentially everything you do in your browser. Your banking sessions. Your email. Your medical portal. Your social media. Your search history. Everything.

And here's the critical asymmetry: while traditional malware requires bypassing your operating system's security features, a browser extension has already been invited inside your browser by you. It operates within the trusted environment. Your antivirus may not flag it. Your firewall doesn't block its outgoing connections because they look like normal browser traffic.

The "Sleeper Agent" Problem

What makes the DarkSpectre campaign and similar attacks particularly insidious is the sleeper agent model.

An extension is published to the Chrome Web Store, Edge Add-ons store, or Firefox Add-ons site with completely legitimate functionality. It does what it says — blocks ads, translates text, manages tabs, whatever. It accumulates users, reviews, and trust signals. This clean phase can last months or years.

Then, through a routine update, the extension's developer pushes new code that includes malicious functionality. The update happens silently in the background — users don't approve individual extension updates, and most people don't even notice when they happen.

In some cases, the original developer was compromised. Their Chrome Web Store credentials were phished, and the attacker used those credentials to push the malicious update through Google's infrastructure. In December 2024, this happened to over 20 extensions simultaneously through a single phishing campaign targeting extension developers.

In other cases, the extension was sold. Legitimate developers who've lost interest in maintaining their extensions sometimes sell them through marketplaces like ExtensionHub. The new owner — often with entirely different intentions — pushes an update that adds malicious code. In March 2026, researchers documented an extension called QuickLens that was listed for sale just two days after being published, then transferred to a new owner who weaponized it within weeks.

The result is that the standard advice — "check the reviews before installing" — doesn't protect you. The reviews were earned during the clean phase. By the time the extension turns malicious, it already has five stars and thousands of satisfied users.

How Malicious Extensions Actually Steal Your Data

The techniques are varied and increasingly sophisticated.

Direct credential theft. The extension monitors login pages and captures usernames and passwords as you type them. Because the extension runs within the browser, it can read form data before it's encrypted for transmission. Your HTTPS connection doesn't help here — the extension sees the data before it enters the secure channel.

Cookie and session hijacking. Extensions can read your browser's cookies, including session cookies that keep you logged into websites. By exfiltrating these cookies, an attacker can import them into their own browser and instantly be logged into your accounts without needing your password or 2FA code.

Search hijacking. The extension silently redirects your search queries through affiliate networks, earning revenue for the attacker while subtly changing the results you see.

Keystroke logging. Some extensions log every keystroke you make in the browser, capturing not just passwords but private messages, search queries, and any other text you type.

Conversation harvesting. The 2025-2026 AI extension campaigns specifically targeted ChatGPT and DeepSeek conversations, scraping entire conversation histories. For users who discuss confidential business matters, share code, or process sensitive information through AI chatbots, this represents a serious data leak.

Steganography. The GhostPoster campaign hid malicious JavaScript code inside the extension's logo image — a technique called steganography. The code was decoded and executed at runtime, making it invisible to casual code review and automated scanning tools.

How to Audit Your Browser Extensions Right Now

Stop reading and do this. It takes five minutes and could reveal a serious problem.

Chrome

Type chrome://extensions into your address bar or click the three-dot menu → Extensions → Manage Extensions.

For each extension, ask yourself:

Do I actually use this? If you haven't used an extension in months, remove it. Every installed extension is an active attack surface, whether you're using it or not.

Do I recognize it? If you don't remember installing it or don't know what it does, remove it. It may have been bundled with other software or installed by someone else.

Are its permissions proportional? Click "Details" on any extension. Check what permissions it has. A weather extension that needs "Read and change all your data on all websites" is a red flag. A color picker tool that requests access to your browsing history makes no sense.

Has the developer changed? Check the "Offered by" field. If you notice it's different from what you remember, or if the developer's website looks suspicious, the extension may have been sold and potentially compromised.

Firefox

Type about:addons into the address bar. Review each extension with the same questions.

Edge

Type edge://extensions into the address bar. Same audit process.

Check for Specific Known-Bad Extensions

If you have any extension that matches these patterns, remove it immediately and change your passwords:

• Extensions promising free VPN service (commonly weaponized)
• Extensions with generic names like "System Service" or "Device Admin"
• Extensions that were recently updated but you didn't notice any feature changes
• AI assistant extensions you installed from links rather than the official store
• Extensions that request permissions far beyond their stated functionality

Rules for Extension Safety Going Forward

Minimize Your Extension Count

The most effective defense is the simplest one: install fewer extensions. Every extension you install is a trust decision. You're trusting the developer's current intentions AND their future intentions AND their ability to protect their own accounts from phishing.

Before installing any extension, ask: is there a way to accomplish this without an extension? Built-in browser features now handle many functions that previously required extensions. Chrome, Firefox, and Edge all have built-in translation, reading modes, and screenshot tools. Many "convenience" extensions provide marginal benefit for substantial risk.

Verify the Developer

Before installing an extension, look at who made it. Is it from a well-known company? Does the developer have a real website? Have they published other reputable extensions? An extension from an anonymous developer with no web presence is higher risk than one from a known company.

Read the Permissions Carefully

During installation, the browser tells you what permissions the extension is requesting. Actually read this. If a screenshot tool asks for "Read and change all your data on all websites" — that's excessive. If a dictionary tool wants access to your tabs, history, and bookmarks — that's suspicious.

Review Regularly

Set a recurring reminder — quarterly is reasonable — to review your installed extensions. Remove anything you're not actively using. Check for ownership changes or permission changes that happened through updates.

Use Chrome's Enhanced Safe Browsing

Chrome offers an "Enhanced protection" mode in Settings → Privacy and Security → Safe Browsing. This mode provides more aggressive warnings about potentially unsafe extensions, including extensions that aren't in the Chrome Web Store's trusted list.

Consider Browser Extension Alternatives

For security-critical functions like ad blocking and password management, consider whether the tool is available as a standalone application rather than a browser extension. A standalone password manager app has better isolation from browser-level attacks than a password manager extension (though major password managers like 1Password and Bitwarden invest heavily in extension security).

The Trust Problem

Here's the uncomfortable reality that the browser extension ecosystem hasn't solved: there's no reliable way for a regular user to know whether an extension is safe.

Reviews can be gamed. Download counts can be manipulated. "Featured" badges, as the AITOPIA case demonstrated, can be awarded to extensions that later turn out to be malicious. Even open-source extensions can be compromised through supply chain attacks on their dependencies.

The Chrome Web Store, Firefox Add-ons, and Edge Add-ons sites all have review processes that combine automated scanning with manual review. These catch many threats. But the sleeper agent model — where an extension is clean for years before being weaponized — is fundamentally difficult to detect through pre-publication review.

Until the browser extension ecosystem develops significantly better trust signals and monitoring (and there are proposals in this direction), the burden falls on users to limit their exposure through minimal installation, regular auditing, and careful permission review.

Your browser is the most sensitive application on your computer. It touches everything you do online. Every extension you install gets to look over your shoulder while you do it.

Make sure you know who's watching.