A cybersecurity report from Experis Cyber reveals that multiple widely used Chrome extensions have been secretly harvesting user data and sending it to external servers. Despite the breach, some infected extensions remain live, posing ongoing privacy risks.
A new cybersecurity alert has uncovered one of the most significant browser-based privacy threats to date. According to a report by Experis Cyber, more than 2.3 million users have unknowingly installed Google Chrome extensions that function as spyware—silently tracking online activity and transmitting it to unknown servers.
The threat, originally identified by Koi Security researchers, involves nearly a dozen popular Chrome extensions—some still bearing Google’s verification badge and hundreds of positive user reviews. While a few of the flagged extensions have been removed from the Chrome Web Store, others remain available and appear in top search results, giving users a false sense of security.
Among the malicious extensions identified are:
- Geco Color Picker
- Emoji Keyboard Online
- Free Weather Forecast
- Volume Max
- Unlock Discord VPN
- Unlock TikTok
- Dark Theme
- Unlock YouTube VPN
Particularly alarming is Volume Max, which had previously raised red flags and has now been definitively confirmed to include spyware components. According to the report, the infected extensions operate silently in the background, logging every website the user visits. These URLs—along with a unique identifier—are sent to external servers, creating a robust profile of user behavior without consent.
Though no malicious redirects have been executed yet, researchers emphasize that the code contains the capability to do so, making the threat both immediate and highly scalable.
What makes this incident even more concerning is that many of the compromised extensions were originally safe and widely trusted. Security analysts suspect these tools were later hijacked or sold to bad actors who inserted malicious code during routine updates—updates that Chrome applies automatically, without user review.
The threat isn’t confined to Chrome. Experis Cyber confirms that identical spyware extensions are also present in the Microsoft Edge Add-ons store, with an additional 600,000 downloads recorded—widening the scope of the attack.
“This case proves that even Google-verified extensions can become Trojan horses,” said Roman Malkov, SOC Manager at Experis Cyber. “The scale of this operation, combined with the stealth of its execution, represents a serious risk to user privacy across the board.”
Malkov urges all users—especially organizations and IT administrators—to take immediate action:
- Audit all installed browser extensions
- Remove any unrecognized or suspicious tools
- Use enterprise-level monitoring for browser activity
- Keep all security software updated
- Deploy anti-phishing and email protection systems
He concluded with a stark warning:
“The silent nature of this breach, combined with distribution through trusted platforms, demands immediate and aggressive action. This isn’t just about one or two tools—it’s a wake-up call for the entire digital ecosystem.”
With billions relying on browser extensions daily, this incident underscores the urgent need for tighter extension security protocols, better transparency, and more robust user controls.
