The Complete List of Malicious Chrome Extensions (2025-2026)

Malicious browser extensions continue to be one of the most effective attack vectors in 2025-2026. They bypass traditional security tools, persist across browsing sessions, and can access everything you do online. Here's a documented list of the most significant malicious extension campaigns discovered recently.

The DarkSpectre Campaign (2025)

One of the largest malicious extension campaigns ever discovered, DarkSpectre involved 34 extensions on the Chrome Web Store with a combined install base of over 4 million users. These extensions masqueraded as productivity and utility tools but contained obfuscated code that:

• Intercepted search queries and redirected them through affiliate links
• Injected advertisements into web pages
• Collected browsing history and sent it to external servers
• Modified cookie values to hijack e-commerce affiliate commissions

The extensions used delayed activation — malicious behavior only started 72 hours after installation — and geographic targeting to avoid detection by security researchers.

Cyberhaven Supply Chain Attack (December 2024 – January 2025)

In one of the most high-profile incidents, attackers compromised the Cyberhaven Chrome extension through a phishing attack on the company's Chrome Web Store developer account. The compromised version (24.10.4) was live for approximately 25 hours before being detected. The malicious code:

• Exfiltrated cookies, authenticated sessions, and browsing data
• Targeted specific websites including social media and AI platforms
• Sent stolen data to a command-and-control domain registered just days earlier

This attack highlighted how even legitimate, security-focused companies can have their extensions weaponized through supply chain compromise.

ChatGPT-Themed Credential Theft (2025)

Capitalizing on the AI boom, attackers published at least 12 extensions posing as ChatGPT enhancements, "GPT-4 access," or AI writing assistants. These extensions:

• Stole Facebook Business account credentials through injected fake login forms
• Harvested cookies for Google, Microsoft, and social media accounts
• Used legitimate-looking OAuth flows to trick users into granting permissions
• Accumulated over 800,000 installs before removal

GhostPoster Social Media Hijacking (2025)

The GhostPoster campaign involved 8 extensions disguised as social media schedulers and analytics tools. Once installed, they:

• Silently posted spam and phishing links from compromised social media accounts
• Harvested social media session tokens for resale
• Modified social media feeds to inject promoted content
• Used WebSocket connections to receive real-time commands from C2 servers

Common Patterns in Malicious Extensions

Across these campaigns, several patterns emerge that you can watch for:

• Excessive permissions: Requesting "Read and change all your data on all websites" for functionality that shouldn't need it
• Obfuscated code: Minified or encoded JavaScript that hides actual behavior
• Delayed activation: Malicious code that only runs after a waiting period
• Remote code loading: Fetching and executing code from external servers via eval() or new Function()
• Cookie and session access: Requesting cookie permissions combined with network access
• Copycat naming: Using names similar to popular legitimate extensions

How to Check If You're Affected

• Open chrome://extensions and review all installed extensions
• Remove any extensions you don't recognize or no longer use
• Check extension permissions — revoke anything that looks excessive
• Use ExtSafe to scan any extensions you want to keep — paste the Chrome Web Store URL to get a full security analysis
• Check your browser for unauthorized account access in recently used services

What to Do If You're Affected

• Remove the malicious extension immediately
• Change passwords for all accounts accessed through that browser
• Revoke active sessions in Google, Facebook, and other services
• Enable two-factor authentication on all critical accounts
• Monitor your accounts for unauthorized activity over the next few weeks
• Report the extension to the Chrome Web Store

Browser extension security is an ongoing challenge. New malicious extensions appear regularly, and even trusted ones can be compromised. Make scanning part of your security routine.