Browser extensions are a modern fact of online life. And with good reason – they can help to streamline our everyday computing headaches, enhance the browsing experience (thank you, Ad Blocker), and even reduce eye strain.
It’s because of this that extensions are so ubiquitous today, with a staggering 99% of enterprises featuring at least one on their computer systems, according to the 2025 Enterprise Browser Extension Security Report.
The problem is that these extensions also pose a massive cybersecurity risk. Just ask the 2.3 million Google Chrome users that, this week, fell victim to a sophisticated malware campaign masquerading as a harmless add-on. Especially when the consequences of a breach are so often dire.
Over 2 Million Chrome and Edge Users Tricked by Malware Extension
2.3 million Google Chrome and Microsoft Edge users have fallen victim to a “sophisticated” malware campaign, Idan Dardikman explained yesterday on Koi Security’s Medium blog.
The malware has been spread through 18 different authentic-looking browser extensions, which all bore the typical hallmarks of a legitimate browser extension, including “Verified” badges. Dardikman says it’s “one of the largest browser hijacking operations” he has ever seen.
This just in! View
the top business tech deals for 2025 👨💻
The extensions in question mimicked the appearance of different productivity and entertainment tools across a range of different categories, including emoji keyboards, weather forecasts, VPN proxies, and more. “Colour Picker Tool – Geco”, for instance, has more than 100,000 installs and a 4.2/5 rating (you can find a full list of the extension IDs at the bottom of Koi Security’s report).
The campaign differed from a typical malware operation in that it actually delivered upon what users were expecting – while flooding their systems with sophisticated surveillance and hijacking tools. Some of the programs that Koi Security investigated even worked as advertised for years before later going dark through version updates.
Extensions Inherently Risky For Businesses
The campaign serves as a cautionary tale – businesses should be wary when downloading and installing browser extensions. The problem is that this is currently not the case.
Extensions are ubiquitous in the modern workplace. The 2025 Enterprise Browser Extension Security Report we mentioned earlier, published by LayerX in May 2025, found that 99% of enterprises have at least one installed on their computer systems, while 52% of organizations run more than ten. Alarmingly, 53% of these installed extensions have “high” or “critical” risk permissions, granting them access to sensitive data.
To make matters worse, these extensions come from a variety of sources – some legit, some less so. LayerX also found that more than half (54%) are published anonymously, while 79% originate from publishers that have only released one extension, meaning that it’s virtually impossible to verify their authenticity.
Growth of AI Add-Ons Could Spell Cybersecurity Disaster
A bad problem could be about to get a lot worse. In recent years, AI browser add-ons have flourished, with more than 20% of surveyed employees using such extensions. Of these, 58% have “high” or “critical” permissions, giving them access to top-level data. As the technology develops and new chatbots emerge, expect this trend to become more pronounced.
This spells trouble. If businesses are to turn the tide on data breaches, which occur at an astonishing rate, a good place to start would be to overhaul how they vet browser extensions. As the Google Chrome case illustrates, individual employees should be prohibited from downloading and installing these extensions.
But companies also need to invest significant time and resources into upskilling their staff on basic cybersecurity practices. And this is a problem at all levels. As Tech.co found in its recent Impact of Technology on the Workplace report, a staggering 98% of senior leaders can’t identify all the signs of a phishing scam. Well-trained employees are crucial to ensuring that rules – such as vetting processes for browser extensions – are adhered to.
