|

18 Malicious Chrome and Edge Extensions Exposed: How Everyday Tools Became a Massive Privacy Threat

ByInnoVirtuoso

Imagine downloading a handy Chrome or Edge extension—a color picker for your design projects, a volume booster for YouTube, or maybe an emoji keyboard to spice up your messages. These everyday tools promise productivity and fun, offering useful features with thousands of glowing reviews. But what if, hidden behind those friendly icons and positive ratings, lurked a sophisticated campaign designed to spy on your every click?

That’s not a hypothetical anymore. In July 2024, security researchers at Koi Security uncovered a set of 18 malicious browser extensions still available for download on the Chrome Web Store and Microsoft Edge Add-ons Store. Together, they’ve quietly infected over 2.3 million users—and chances are, you or someone you know might have installed one.

Here’s what you need to know about this alarming discovery, how these malicious extensions slipped through the cracks, and—most importantly—what you should do right now to protect your privacy.

The RedDirection Campaign: Malicious Extensions Hiding in Plain Sight

Let’s break down what exactly happened, and why this case is so alarming.

What Did Koi Security Discover?

A research team led by Idan Dardikman at Koi Security identified 18 browser extensions—11 for Chrome, 7 for Edge—that were actively stealing browsing data and hijacking user sessions. These extensions weren’t fly-by-night scams with obvious red flags. They looked legitimate, delivered real functionality, and in some cases, even carried Google’s or Microsoft’s coveted “verified” badges.

Among the categories targeted:

  • Productivity tools: Color pickers, eyedroppers, dark mode themes
  • Entertainment add-ons: Volume boosters, video speed controllers, YouTube unblockers
  • Social media helpers: VPNs for Discord and TikTok, emoji keyboards
  • Weather and utility extensions: Weather forecasts, currency converters

Each extension operated via its own command and control (C2) subdomain, giving the illusion of independence. But Koi Security’s analysis revealed a centralized attack infrastructure, linking all 18 extensions to a single, advanced threat campaign: RedDirection.

Why Is This So Dangerous?

Here’s why this attack is especially concerning:

  • Widespread Reach: Over 2.3 million browser installations—many from official stores with highlighted recommendations.
  • Stealth Tactics: Extensions started clean to pass security checks, then updated themselves later with malicious code.
  • Trust Exploited: Even “verified” and “featured” extensions were compromised, deceiving both users and security systems.
  • Surveillance Capabilities: The malware tracked every URL you visited, sent it to a remote server with your unique ID, and could even redirect your browser without your knowledge.

Let me put it simply: If you had one of these extensions installed, your online activity was likely being monitored and manipulated in real time.

How Extensions Went From Helpful to Harmful—Without Warning

It’s unsettling to realize that the tool you downloaded for convenience could flip into a privacy nightmare with a single automatic update. But that’s exactly how RedDirection operated.

The Trojan Horse: Extensions Turned Malicious After Gaining Trust

The campaign’s success hinged on a clever strategy:

  1. Release a Genuine, Clean Extension: The initial versions of these extensions worked as advertised, performing legitimate tasks.
  2. Build Credibility and Install Base: With helpful features and positive reviews, extensions racked up downloads—some topping 100,000+ users.
  3. Secure Trust Signals: Several were verified or promoted by Google and Microsoft, appearing on curated lists.
  4. Deploy a Malicious Update: Months or even years later, the extension auto-updated in the background, silently adding code to surveil users and hijack browser sessions.
  5. Evade Detection: Since updates happen quietly, and the extension remains functional, most users never suspect a thing.

This tactic perfectly demonstrates how threat actors exploit the trust signals we count on, like review scores and verification badges. As Dardikman put it in his report, “Sophisticated threat actors are exploiting the trust signals we rely on.”

A Real Example: ‘Color Picker, Eyedropper — Geco colorpick’

One of the first extensions flagged by Koi Security was a color picker tool with over 100,000 installs and 800+ reviews. It was, on the surface, a designer’s dream. But behind the scenes, it quietly delivered a backdoor, enabling attackers to:

  • Track every website you visited
  • Send browsing data to a remote server with your unique tracking ID
  • Receive commands to redirect your browser—potentially to phishing or scam sites

This wasn’t just theoretical; the researchers found evidence of these behaviors across all 18 extensions.

The Technical Breakdown: What RedDirection Extensions Actually Did

Let’s lift the hood for a moment and see how these extensions worked.

The Anatomy of a Malicious Browser Extension

Each compromised extension had two faces:

1. The front-end: What users saw—an interface for color picking, volume boosting, or other benign features. 2. The hidden payload: Embedded code that performed the real, malicious work.

Here’s what researchers observed:

  • URL Harvesting: The extension recorded every website you visited, from shopping to social media to sensitive accounts.
  • Data Transmission: This information, along with a uniquely generated tracking ID, was sent to the attacker’s command-and-control server.
  • Browser Redirection: The attacker could issue commands to automatically redirect your browser—potentially steering you to phishing sites, scam pages, or further malware downloads.
  • Modular C2 Infrastructure: Each extension used a separate subdomain, but all routes led back to the same infrastructure, masking the true scale of the campaign.

Why Is This Hard to Detect?

Most anti-virus and browser security systems are designed to catch obvious malware signatures or illicit behaviors. But RedDirection’s stealthy approach—delivering real value while hiding malicious actions in background scripts—allowed it to stay under the radar for years.

Why Security Filters Failed (And What Needs to Change)

You might be wondering: How did these extensions get past Google’s and Microsoft’s security checks?

The Limits of Current Browser Extension Security

Both Chrome and Edge use automated and manual review processes to vet extensions. But these systems have blind spots:

  • Initial Clean Version: Extensions started out clean, so they easily passed checks and earned “trusted” status.
  • Auto-updates: Browsers allow extensions to auto-update with new code—often unreviewed—directly to users’ machines.
  • Obfuscation: Attackers used code obfuscation and evasive techniques to hide malicious logic.
  • Sheer Volume: With millions of extensions in official stores, it’s impossible for humans to review every code update in depth.

Even after being reported by Koi Security, neither Google nor Microsoft responded at the time of writing—raising concerns about how fast these threats are being addressed.

Here’s Why That Matters…

Most users believe that if an extension appears in an official store, especially with a “verified” badge, it’s safe to install. This incident proves that’s not always true—and that we need to stay vigilant even with “trusted” tools.

For a deeper dive on browser extension security and vulnerabilities, check out this resource from the Electronic Frontier Foundation (EFF).

What To Do If You Installed One of These Malicious Extensions

If you’re worried you might have one of these extensions, don’t panic—but do act quickly. Here’s a step-by-step guide:

1. Remove the Malicious Extension Immediately

  • Go to your Chrome or Edge extension page
  • Remove any extension you don’t recognize or no longer need
  • If you know the name of a flagged extension, uninstall it right away

2. Clear Your Browser Data

  • Clear cookies and cached site data to remove tracking identifiers the extension may have stored

3. Run a Full Malware Scan

4. Change Passwords for Sensitive Accounts

  • Especially if you visited email, banking, or social media sites while the extension was installed

5. Monitor Your Accounts

  • Keep an eye out for unusual activity or login attempts

6. Stay Informed

List of Known Malicious Extensions from RedDirection:

While the full list is available on Dardikman’s Medium post, here are some of the names identified:

  • Color Picker, Eyedropper — Geco colorpick
  • Video Speed Controller Pro
  • Discord VPN
  • TikTok VPN
  • Volume Booster Plus
  • YouTube Unblocker
  • Dark Theme for Chrome/Edge
  • Emoji Keyboard Pro
  • Weather Forecast Now (Note: If you find any extension with similar names or suspicious behaviors, consider removing them and searching online for recent security updates.)

Why This Attack Was So Effective: Trust, Familiarity, and Feature-Creep

This campaign succeeded not just because of technical trickery, but because it exploited the very things we rely on to keep us safe:

  • Familiarity: Tools that solve real-world problems—boosting volume, picking colors, accessing blocked content—are things millions of users genuinely want.
  • Trust: Verification badges, positive reviews, and featured placement make users feel secure.
  • Invisibility: Malicious updates happen quietly, with no popups or requests for approval.

Attackers know that the best way to breach defenses is to become invisible—to look, act, and feel like any other everyday tool.

How to Protect Yourself From Malicious Browser Extensions

Prevention is always better than cure. Here’s how you can avoid falling victim to similar scams in the future:

Tips for Choosing Safe Extensions

  1. Install Only What You Need. The fewer extensions, the less attack surface.
  2. Verify the Developer. Look for extensions from reputable companies or developers with a visible online presence.
  3. Read Recent Reviews. Positive reviews from years ago may not reflect the current version. Watch for recent complaints about suspicious behavior.
  4. Check Permissions Carefully. Be wary of extensions asking for more permissions than necessary—especially those wanting access to “all your data on all websites.”
  5. Keep Your Browser Updated. Security patches help, but they’re not a silver bullet.
  6. Use Security Tools. Consider browser security add-ons like uBlock Origin, and regularly scan your system with anti-malware.

Stay Skeptical—Even in Official Stores

No store, badge, or review can guarantee safety 100% of the time. If something seems off, trust your instincts and do some quick research before installing.

The Broader Issue: Browser Extensions as a Security Weak Link

As browsers become our portal to everything—banking, work, social media—extensions have unprecedented power. This incident is a wake-up call for:

  • Browser vendors: Stronger, more transparent review processes are needed.
  • Extension developers: More accountability and public transparency about code changes.
  • Users: Greater awareness that extensions, while helpful, can carry serious risks.

For more on best practices and browser security, see Google’s own advice on Chrome security and the Mozilla Foundation’s research on extension safety.

Frequently Asked Questions (FAQs)

Q1: How can I tell if I have a malicious Chrome or Edge extension installed?
A: Go to your browser’s extensions page (chrome://extensions for Chrome or edge://extensions for Edge). Look for suspicious or unfamiliar extensions, especially those recently installed or with names similar to those flagged in this campaign. Search the extension’s name online with “malware” or “scam” to check for recent alerts.

Q2: Are extensions from the Chrome Web Store or Edge Add-ons Store always safe?
A: Unfortunately, no. While most extensions are safe, some malicious ones slip through, especially if they start out clean and later become malicious via updates. Always review permissions, developer info, and recent reviews.

Q3: What should I do if I think an extension is spying on me?
A: Remove the extension immediately, clear your browser data, run a full malware scan, and change passwords for sensitive accounts. Monitor your online accounts for suspicious activity.

Q4: Why didn’t Google or Microsoft catch these malicious extensions?
A: Automated security checks can miss sophisticated threats, especially when an extension is initially clean and gains trust before turning malicious. The sheer volume of submissions makes manual review challenging.

Q5: Can uninstalling the extension alone remove all the risks?
A: Removing the extension stops new data from being sent, but it’s important to clear browser data and scan your system for further infections, as some extensions may drop additional payloads.

Q6: Where can I find the latest list of compromised extensions?
A: Koi Security’s official Medium post provides the most current list. Security news sites like BleepingComputer also track these threats.

Final Takeaway: Stay Vigilant, Stay Informed

The RedDirection campaign is a reminder that even the most trusted-looking browser extensions can turn against us—sometimes years after we first install them. As users, we need to balance productivity with skepticism, always questioning what we install and how much access we grant.

Here’s what you can do right now:

  • Audit your extensions and uninstall anything you don’t recognize or need.
  • Keep up with security news to stay ahead of new threats.
  • Share this article with friends and colleagues—many don’t realize their browser extensions could be spying on them.

Want more insights like this? Subscribe to our newsletter for regular updates on digital security, privacy, and the best ways to stay safe online.

Stay safe—and remember, when it comes to browser security, a little caution goes a long way.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!

Which Types of Cybersecurity Include Access Control? A Clear Guide for Protecting Your Digital World
|

Which Types of Cybersecurity Include Access Control? A Clear Guide for Protecting Your Digital World

ByInnoVirtuoso

Imagine locking the front door to your house every night. It’s a simple act, but it’s your first line of defense against unwanted guests. Now, think about this in the realm of cybersecurity—who gets digital “keys” to your organization’s most valuable resources? That’s where access control comes in. If you’re searching, “which of the following…

Is the CISO Role Now the Least Desirable Job in Business? Here’s What You Need to Know
|

Is the CISO Role Now the Least Desirable Job in Business? Here’s What You Need to Know

ByInnoVirtuoso

Picture this: You’re a senior leader with a seat just outside the boardroom. You’re responsible for warding off relentless cyber threats, ensuring compliance with a maze of regulations, and shouldering the weight of enterprise risk—all while lacking the authority to enforce real change. The phone never stops ringing. The pressure never lets up. And even…

Malicious Open Source Packages Surge 188%: What Every Developer Needs to Know About the 2025 Open Source Malware Spike
|

Malicious Open Source Packages Surge 188%: What Every Developer Needs to Know About the 2025 Open Source Malware Spike

ByInnoVirtuoso

If you’ve ever relied on open source libraries to speed up your projects—or if you’re simply concerned about how software makes its way onto your devices—what’s happening right now in the world of open source malware should grab your full attention. A staggering 188% year-over-year jump in malicious open source packages isn’t just a scary…

How IT and OT Collaboration Supercharges Incident Response in Modern Manufacturing
|

How IT and OT Collaboration Supercharges Incident Response in Modern Manufacturing

ByInnoVirtuoso

Imagine this: a cyber incident halts your factory’s production line. Every minute costs thousands. Your IT security team scrambles to contain the breach, but the attack has wormed its way into specialized operational systems (OT)—machines, sensors, and PLCs running the heart of your plant. The OT engineers, experts in industrial control systems, are out of…

How Savvy CISOs Can Tap Former Federal Cyber Pros to Beat the Cybersecurity Talent Shortage
|

How Savvy CISOs Can Tap Former Federal Cyber Pros to Beat the Cybersecurity Talent Shortage

ByInnoVirtuoso

If you’re a CISO facing sleepless nights over your open cyber roles, you’re not alone. The cybersecurity workforce squeeze is nothing new—but right now, a unique opportunity has emerged. Thanks to sweeping federal job cuts and the Department of Government Efficiency’s (DOGE) aggressive downsizing, thousands of highly skilled federal cyber professionals are suddenly available. The…

Microsoft Patch Tuesday July 2025: Critical ‘Wormable’ Vulnerability and Zero-Day Flaw—What Every IT Pro Must Know
|

Microsoft Patch Tuesday July 2025: Critical ‘Wormable’ Vulnerability and Zero-Day Flaw—What Every IT Pro Must Know

ByInnoVirtuoso

Every second Tuesday of the month, IT teams worldwide wait on edge for Microsoft’s Patch Tuesday drop. July 2025’s update isn’t just another batch of security fixes—it’s a wakeup call. Among the 130 vulnerabilities patched, two stand out: a potentially “wormable” flaw reminiscent of WannaCry’s devastation, and a high-severity zero-day in Microsoft SQL Server. If…