The discovery was made by researchers at Koi Security, a platform for security self-provisioned software, who alerted Google to the issue, and was reported first by Bleeping Computer.
The malicious extensions, which masquerade as useful tools such as color pickers, VPNs, volume boosters, and emoji keyboards, have received positive reviews and have been prominently featured on the store, making them appear legitimate to unsuspecting users.
However, many of these extensions, despite being initially safe, later received updates that introduced malicious code.
Some of the extensions have been removed from the Web Store, but many remain accessible. Users are advised to check for and uninstall the following extensions immediately:
Color Picker, Eyedropper — Geco colorpick
Emoji Keyboard Online — Copy&paste your emoji
Free Weather Forecast
Video Speed Controller — Video manager
Unlock Discord — VPN Proxy to Unblock Discord Anywhere
Dark Theme — Dark Reader for Chrome
Volume Max — Ultimate Sound Booster
Unblock TikTok — Seamless Access with One-Click Proxy
Unlock YouTube VPN
Unlock TikTok
Weather
One of the extensions, ‘Volume Max — Ultimate Sound Booster’, had previously been flagged by LayerX researchers for potential spying, although no malicious activity was confirmed at the time.
The core issue lies in the background service worker of each extension, which uses the Chrome Extensions API to track users. A listener is triggered when users visit new webpages, capturing the URL and sending it to a remote server with a unique tracking ID.
This server can then redirect users to unsafe sites, potentially leading to cyberattacks. However, Koi Security’s testing has not yet observed any active redirections.
The malicious code was not present in the initial versions of these extensions but was added later through updates.
Google’s auto-update system silently deployed these updated versions to users without their consent or interaction. This suggests that the extensions may have been compromised by external actors over time.
⚠️ Over 1.7 MILLION users impacted! Malicious Chrome extensions were found lurking on the Web Store. Is your browser safe? Check your extensions now! #ChromeSecurity #Cybersecurity https://t.co/JVyGkHrEuF
— X CyberSec (@xcybersecnews) July 9, 2025
Further investigation revealed that similar malicious extensions had been found in the official store for Microsoft Edge, which have garnered 600,000 downloads.
In total, the malicious extensions across both browsers have affected over 2.3 million users, marking one of the largest browser hijacking operations in recent memory.
Koi Security recommends that users remove the listed extensions immediately, clear their browsing data to remove tracking identifiers, scan their systems for malware, and monitor their accounts for any suspicious activity.