Trojanized Extensions Hijack Browsers, Impact 2.3 Million Chrome and Edge Users
 CyberNews.PT | July 11, 2025

A massive browser security breach has been uncovered after several popular Chrome and Edge extensions were found to be Trojanized, hijacking users’ browsers and compromising the data of more than 2.3 million people worldwide.

Security researchers at Guardio Labs revealed the threat earlier this week, warning that what appeared to be harmless productivity or shopping tools were, in fact, sophisticated malware delivery vehicles. These malicious extensions included features like coupon finders, price trackers, PDF converters, and tab managers—functions that made them appear trustworthy and useful to everyday users.

However, once installed, the extensions covertly injected malicious JavaScript code into every web page a user visited. This enabled attackers to:

• Redirect search results to malicious advertising or phishing sites

• Monitor users’ browsing habits

• Hijack legitimate links and replace them with affiliate or malicious ones

• Collect personally identifiable information (PII), such as email addresses and device details

Trojan in Disguise

“This was not just a case of unwanted ads,” said Aviran Hazum, Head of Threat Research at Guardio Labs. “This is a full-scale browser hijack. These extensions acted like legitimate software but were built with an evil twist—they changed behavior based on server-side commands, allowing them to bypass initial security reviews and remain undetected for months.”

What made the campaign particularly dangerous was its ability to remain hidden in plain sight. The malicious behavior was only triggered after installation and a waiting period, reducing suspicion and evading Google’s and Microsoft’s automated scanners.

How Did It Spread?

Researchers say the campaign likely spread through aggressive social media advertising and sponsored links in search engines. Unsuspecting users were lured into downloading these “useful” tools from the Chrome Web Store or Microsoft Edge Add-ons site, both of which have since removed the offending extensions.

Among the most downloaded Trojanized extensions were:

• “AutoPage”

• “Crystal Ad Block”

• “WebEnhancer”

• “QuickDocs”

• “Video Downloader Pro+”

Combined, these extensions had over 2.3 million installs before they were taken down.

What Should Users Do?

If you suspect you may have installed any of these or similar suspicious extensions, you should:

1. Uninstall the extension immediately

2. Clear your browser cache and reset your search engine settings

3. Change your passwords—especially for email, banking, and shopping sites

4. Scan your system with a reputable antivirus or anti-malware program

Additionally, both Google and Microsoft have issued statements saying they are strengthening their extension vetting processes. Google reminded users to be cautious and always review permissions before installing any extension.

Final Thoughts

This incident serves as a stark reminder that browser extensions—though often helpful—can also become a serious security risk. As cybercriminals become more sophisticated in their tactics, even official app stores are no longer entirely safe. Vigilance, user education, and stricter regulation in browser extension ecosystems are crucial to preventing similar attacks in the future.

For a list of the affected extensions and tools to help detect and remove them, visit CyberNews.PT.

Have you been affected by this Trojan extension campaign? Share your experience in the comments or contact our cybersecurity team.