Malicious Browser Extension Scams
How attackers distribute harmful browser extensions through stores and third-party sites to steal data, hijack sessions, and inject advertising into every page you visit.
Part of: Malicious Browser Extension Scams
Last reviewed: 8 June 2026
Browser extensions occupy a privileged position in your digital environment: they can read and modify every web page you visit, access your browsing history, and interact with form fields including password inputs and payment details. Malicious extensions exploit these permissions comprehensively, often while appearing to provide a useful service.
Extensions are distributed through official browser stores and increasingly through third-party sites promoted via social media ads or search results. Official stores have review processes, but malicious extensions do slip through — sometimes by acquiring legitimate extensions through purchase and then pushing malicious updates to the existing user base.
How this scam works on browser extensions
A user installs an extension from the browser store that appears to provide a useful function — a productivity tool, a grammar checker, a VPN, a price comparison. The extension requests broad permissions at install time or via an update. Once active, it reads form content on every site, injecting credentials and payment details into an external logging system. It may also replace legitimate ads with attacker-controlled ads, or redirect specific search queries to phishing pages.
Malicious updates to previously legitimate extensions are a documented attack vector. A developer sells or hands over a popular extension, and the new owner pushes an update that introduces data harvesting. Existing users, who trusted the original extension, do not re-evaluate permissions on update.
Common red flags
- Extension requests permission to read and change data on all websites rather than specific relevant sites
- Browser redirects searches or alters page content in unexpected ways
- Extension was recently transferred to a new developer or shows a sudden change in publishing history
- Pop-up ads begin appearing on sites that normally show no advertising
- You are logged out of accounts or prompted to re-authenticate more frequently than normal
- Extension was promoted through a social media ad rather than discovered organically in the browser store
How to protect yourself
- Install extensions only from the official browser store and review developer history
- Scrutinise permission requests and avoid extensions requiring all-site read-write access unless absolutely necessary
- Audit your installed extensions list regularly and remove anything you no longer actively use
- Check extension update history and reviews when an update is applied to a previously trusted tool
- Use a dedicated browser profile with minimal extensions for banking and financial activities
How to report it
- Report the extension in the browser store as malicious
- Report to your national cybercrime authority if data or credentials were compromised
- If financial accounts were accessed, contact your bank and change all affected passwords immediately
Frequently asked questions
How do I audit the permissions of my current browser extensions?
In Chrome, go to chrome://extensions and review each extension's listed permissions. In Firefox, open Add-ons and Themes and check Permissions for each add-on. Any extension with permission to read and change all site data warrants close scrutiny.