Researchers have uncovered 30 Chrome extensions stealing user data. Here’s how to check your browser and remove any malicious extensions step by step.
The post How to find and remove credential-stealing Chrome extensions appeared first on Security Boulevard.
Researchers have found yet another family of malicious extensions in the Chrome Web Store. This time, 30 different Chrome extensions were found stealing credentials from more than 260,000 users.
The extensions rendered a full-screen iframe pointing to a remote domain. This iframe overlaid the current webpage and visually appeared as the extension’s interface. Because this functionality was hosted remotely, it was not included in the review that allowed the extensions into the Web Store.
In other recent findings, we reported about extensions spying on ChatGPT chats, sleeper extensions that monitored browser activity, and a fake extension that deliberately caused a browser crash.
To spread the risk of detections and take-downs, the attackers used a technique known as “extension spraying.” This means they used different names and unique identifiers for basically the same extension.
What often happens is that researchers provide a list of extension names and IDs, and it’s up to users to figure out whether they have one of these extensions installed.
Searching by name is easy when you open your “Manage extensions” tab, but unfortunately extension names are not unique. You could, for example, have the legitimate extension installed that a criminal tried to impersonate.
For Chrome and Edge, a browser extension ID is a unique 32‑character string of lowercase letters that stays the same even if the extension is renamed or reshipped.
When we’re looking at the extensions from a removal angle, there are two kinds: those installed by the user, and those force‑installed by other means (network admin, malware, Group Policy Object (GPO), etc.).
We will only look at the first type in this guide—the ones users installed themselves from the Web Store. The guide below is aimed at Chrome, but it’s almost the same for Edge.
You can review the installed Chrome extensions like this:
Login
chrome://extensions/.
Use the Remove button to get rid of any unwanted entries.
If it disappears and stays gone after restart, you’re done. If there is no Remove button or Chrome says it’s “Installed by your administrator,” or the extension reappears after a restart, there’s a policy, registry entry, or malware forcing it.
Alternatively, you can also search the Extensions folder. On Windows systems this folder lives here: C:\Users\<your‑username>\AppData\Local\Google\Chrome\User Data\Default\Extensions.
Please note that the AppData folder is hidden by default. To unhide files and folders in Windows, open Explorer, click the View tab (or menu), and check the Hidden items box. For more advanced options, choose Options > Change folder and search options > View tab, then select Show hidden files, folders, and drives.
You can organize the list alphabetically by clicking on the Name column header once or twice. This makes it easier to find extensions if you have a lot of them installed.
Deleting the extension folder here has one downside. It leaves an orphaned entry in your browser. When you start Chrome again after doing this, the extension will no longer load because its files are gone. But it will still show up in the Extensions tab, only without the appropriate icon.
So, our advice is to remove extensions in the browser when possible.
Below is the list of credential-stealing extensions using the iframe method, as provided by the researchers.
| Extension ID | Extension name |
|---|---|
| acaeafediijmccnjlokgcdiojiljfpbe | ChatGPT Translate |
| baonbjckakcpgliaafcodddkoednpjgf | XAI |
| bilfflcophfehljhpnklmcelkoiffapb | AI For Translation |
| cicjlpmjmimeoempffghfglndokjihhn | AI Cover Letter Generator |
| ckicoadchmmndbakbokhapncehanaeni | AI Email Writer |
| ckneindgfbjnbbiggcmnjeofelhflhaj | AI Image Generator Chat GPT |
| cmpmhhjahlioglkleiofbjodhhiejhei | AI Translator |
| dbclhjpifdfkofnmjfpheiondafpkoed | Ai Wallpaper Generator |
| djhjckkfgancelbmgcamjimgphaphjdl | AI Sidebar |
| ebmmjmakencgmgoijdfnbailknaaiffh | Chat With Gemini |
| ecikmpoikkcelnakpgaeplcjoickgacj | Ai Picture Generator |
| fdlagfnfaheppaigholhoojabfaapnhb | Google Gemini |
| flnecpdpbhdblkpnegekobahlijbmfok | ChatGPT Picture Generator |
| fnjinbdmidgjkpmlihcginjipjaoapol | Email Generator AI |
| fpmkabpaklbhbhegegapfkenkmpipick | Chat GPT for Gmail |
| fppbiomdkfbhgjjdmojlogeceejinadg | Gemini AI Sidebar |
| gcfianbpjcfkafpiadmheejkokcmdkjl | Llama |
| gcdfailafdfjbailcdcbjmeginhncjkb | Grok Chatbot |
| gghdfkafnhfpaooiolhncejnlgglhkhe | AI Sidebar |
| gnaekhndaddbimfllbgmecjijbbfpabc | Ask Gemini |
| gohgeedemmaohocbaccllpkabadoogpl | DeepSeek Chat |
| hgnjolbjpjmhepcbjgeeallnamkjnfgi | AI Letter Generator |
| idhknpoceajhnjokpnbicildeoligdgh | ChatGPT Translation |
| kblengdlefjpjkekanpoidgoghdngdgl | AI GPT |
| kepibgehhljlecgaeihhnmibnmikbnga | DeepSeek Download |
| lodlcpnbppgipaimgbjgniokjcnpiiad | AI Message Generator |
| llojfncgbabajmdglnkbhmiebiinohek | ChatGPT Sidebar |
| nkgbfengofophpmonladgaldioelckbe | Chat Bot GPT |
| nlhpidbjmmffhoogcennoiopekbiglbp | AI Assistant |
| phiphcloddhmndjbdedgfbglhpkjcffh | Asking Chat Gpt |
| pgfibniplgcnccdnkhblpmmlfodijppg | ChatGBT |
| cgmmcoandmabammnhfnjcakdeejbfimn | Grok |
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
LayerX researchers say that a security in Anthropic's Claude Desktop Extensions can be exploited to allow threat actors to place a RCE vulnerability into Google Calendar, the latest report to highlight the risks that come with giving AI models with full system privileges unfettered access to sensitive data.
The post Flaw in Anthropic Claude Extensions Can Lead to RCE in Google Calendar: LayerX appeared first on Security Boulevard.
Cybercriminals behind a campaign dubbed DEAD#VAX are taking phishing one step further by delivering malware inside virtual hard disks that pretend to be ordinary PDF documents. Open the wrong “invoice” or “purchase order” and you won’t see a document at all. Instead, Windows mounts a virtual drive that quietly installs AsyncRAT, a backdoor Trojan that allows attackers to remotely monitor and control your computer.
It’s a remote access tool, which means attackers gain remote hands‑on‑keyboard control, while traditional file‑based defenses see almost nothing suspicious on disk.
From a high-level view, the infection chain is long, but every step looks just legitimate enough on its own to slip past casual checks.
Victims receive phishing emails that look like routine business messages, often referencing purchase orders or invoices and sometimes impersonating real companies. The email doesn’t attach a document directly. Instead, it links to a file hosted on IPFS (InterPlanetary File System), a decentralized storage network increasingly abused in phishing campaigns because content is harder to take down and can be accessed through normal web gateways.
The linked file is named as a PDF and has the PDF icon, but is actually a virtual hard disk (VHD) file. When the user double‑clicks it, Windows mounts it as a new drive (for example, drive E:) instead of opening a document viewer. Mounting VHDs is perfectly legitimate Windows behavior, which makes this step less likely to ring alarm bells.
Inside the mounted drive is what appears to be the expected document, but it’s actually a Windows Script File (WSF). When the user opens it, Windows executes the code in the file instead of displaying a PDF.
After some checks to avoid analysis and detection, the script injects the payload—AsyncRAT shellcode—into trusted, Microsoft‑signed processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, or sihost.exe. The malware never writes an actual executable file to disk. It lives and runs entirely in memory inside these legitimate processes, making detection and eventually at a later stage, forensics much harder. It also avoids sudden spikes in activity or memory usage that could draw attention.
For an individual user, falling for this phishing email can result in:
Because detection can be hard, it is crucial that users apply certain checks:
invoice.pdf.vhd the user would only see invoice.pdf. To find out how to do this, see below.To show file extensions in Windows 10 and 11:
Alternatively, search for File Explorer Options to uncheck Hide extensions for known file types.
For older versions of Windows, refer to this article.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Security researchers from LayerX discovered 16 malicious Chrome extensions created by the same threat actor designed to intercept users' interaction with ChatGPT chatbots and steal their account credentials, the latest instance in a growing trend.
The post LayerX Discovers Malicious Chrome Extensions Stealing ChatGPT Accounts appeared first on Security Boulevard.
Last week on Malwarebytes Labs:
On the ThreatDown blog:
Stay safe!
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
A group of cybercriminals called DarkSpectre is believed to be behind three campaigns spread by malicious browser extensions: ShadyPanda, GhostPoster, and Zoom Stealer.
We wrote about the ShadyPanda campaign in December 2025, warning users that extensions which had behaved normally for years suddenly went rogue. After a malicious update, these extensions were able to track browsing behavior and run malicious code inside the browser.
Also in December, researchers uncovered a new campaign, GhostPoster, and identified 17 compromised Firefox extensions. The campaign was found to hide JavaScript code inside the image logo of malicious Firefox extensions with more than 50,000 downloads, allowing attackers to to monitor browser activity and plant a backdoor.
The use of malicious code in images is a technique called steganography. Earlier GhostPoster extensions hid JavaScript loader code inside PNG icons such as logo.png for Firefox extensions like “Free VPN Forever,” using a marker (for example, three equals signs) in the raw bytes to separate image data from payload.
Newer variants moved to embedding payloads in arbitrary images inside the extension bundle, then decoding and decrypting them at runtime. This makes the malicious code much harder for researchers to detect.
Based on that research, other researchers found an additional 17 extensions associated with the same group, beyond the original Firefox set. These were downloaded more than 840,000 times in total, with some remaining active in the wild for up to five years.
GhostPoster first targeted Microsoft Edge users and later expanded to Chrome and Firefox as the attackers built out their infrastructure. The attackers published the extensions in each browser’s web store as seemingly useful tools with names like “Google Translate in Right Click,” “Ads Block Ultimate,” “Translate Selected Text with Google,” “Instagram Downloader,” and “Youtube Download.”
The extensions can see visited sites, search queries, and shopping behavior, allowing attackers to create detailed profiles of users’ habits and interests.
Combined with other malicious code, this visibility could be extended to credential theft, session hijacking, or attacks targeting online banking workflows, even if those are not the primary goal today.
Although we always advise people to install extensions only from official web stores, this case proves once again that not all extensions available there are safe. That said, the risk involved in installing an extension from outside the web store is even greater.
Extensions listed in the web store undergo a review process before being approved. This process, which combines automated and manual checks, assesses the extension’s safety, policy compliance, and overall user experience. The goal is to protect users from scams, malware, and other malicious activity.
Mozilla and Microsoft have removed the identified add-ons from their stores, and Google has confirmed their removal from the Chrome Web Store. However, already installed extensions remain active in Chrome and Edge until users manually uninstall them. When Mozilla blocks an add-on it is also disabled, which prevents it from interacting with Firefox and accessing your browser and your data.
If you’re worried that you may have installed one of these extensions, Windows users can run a Malwarebytes Deep Scan with their browsers closed.
Manual check:
These are the names of the 17 additional extensions that were discovered:
Note: There may be extensions with the same names that are not malicious.
We don’t just report on threats—we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.
Researchers have unraveled a malware campaign that really did play the long game. After seven years of behaving normally, a set of browser extensions installed on roughly 4.3 million Chrome and Edge users’ devices suddenly went rogue. Now they can track what you browse and run malicious code inside your browser.
The researchers found five extensions that operated cleanly for years before being weaponized in mid-2024. The developers earned trust, built up millions of installs, and even collected “Featured” or “Verified” status in the Chrome and Edge stores. Then they pushed silent updates that turned these add-ons into spyware and malware.
The extensions turned into a remote code execution framework. They could download and run malicious JavaScript inside the browser and collect information about visited sites and the user’s browser, sending it all back to attackers believed to be based in China.
One of the most prevalent of these extensions is WeTab, with around three million installs on Edge. It acts as spyware by streaming visited URLs, search queries, and other data in real time. The researchers note that while Google has removed the extensions, the Edge store versions are still available.
Playing the long game is not something cybercriminals usually have the time or patience for.
The researchers attributed the campaign to the ShadyPanda group, which has been active since at least 2018 and launched their first campaign in 2023. That was a simpler case of affiliate fraud, inserting affiliate tracking codes into users’ shopping clicks.
What the group did learn from that campaign was that they could get away with deploying malicious updates to existing extensions. Google vets new extensions carefully, but updates don’t get the same attention.
It’s not the first time we’ve seen this behavior, but waiting for years is exceptional. When an extension has been available in the web store for a while, cybercriminals can insert malicious code through updates to the extension. Some researchers refer to the clean extensions as “sleeper agents” that sit quietly for years before switching to malicious behavior.
This new campaign is far more dangerous. Every infected browser runs a remote code execution framework. Every hour, it checks api.extensionplay[.]com for new instructions, downloads arbitrary JavaScript, and executes it with full browser API access.
The researchers at Koi shared a long list of Chrome and Edge extension IDs linked to this campaign. You can check if you have these extensions in your browser:
In Chrome
eagiakjmjnblliacokhcalebgnhellfi) into the search box.If the page scrolls to an extension and highlights the ID, it’s installed. If it says No results found, it isn’t in that Chrome profile.
If you see that ID under an extension, it means that particular add‑on is installed for the current Chrome profile.
To remove it, click Remove on that extension’s card on the same page.
In Edge
Since Edge is a Chromium browser the steps are the same, just go to edge://extensions/ instead.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Recent research by Socket’s Threat Research Team uncovered a massive, coordinated campaign flooding the Chrome Web Store with 131 spamware extensions. These add-ons hijack WhatsApp Web—the browser version of WhatsApp—to automate bulk messages and skirt anti-spam controls.
Spamware is software that automates the sending of unsolicited bulk messages—often for advertising, phishing, or even spreading malware—across email, messaging apps, or social media.
According to Socket, the extensions inject code directly into the WhatsApp Web site, running alongside its own scripts to automate bulk outreach and scheduling. This helps them bypass WhatsApp’s anti-spam controls.
The 131 extensions all share the same codebase, design patterns, and infrastructure. This is obviously a sign that something is off. If you’re proud of your product, why would you disguise it under dozens of aliases?
Some marketers use WhatsApp spamware to automate and scale up outbound campaigns, flooding users with unwanted promotional messages or links. The extensions promise to help them evade WhatsApp’s built-in limits, enabling large-volume outreach that would typically be blocked if attempted manually. These tools offer them a readily available spam infrastructure.
But having a spamware extension installed isn’t just a problem for others—it can also pose a direct risk to yourself:
Many promotional sites for these extensions claim that Chrome Web Store inclusion means a rigorous audit and code review that guarantees privacy and safety. In reality, Chrome’s process is a policy compliance review, not a certification, and presenting it as an audit misleads buyers and creates a false sense of security.
That said, it’s still safer to download from the official Chrome Web Store than from random sites or direct file links. The store has reporting, review and takedown processes that most other sources lack.
The researchers reported the extensions to the Chrome security team and requested that the associated publisher accounts be suspended for policy-violating spamware.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
