Weaponized Chrome Extension Affects 1.7 Million Users Despite Google’s Verified Badges

A sophisticated malware campaign has infected over 1.7 million Chrome users through eleven seemingly legitimate browser extensions, all of which carried Google’s verified badge and featured placement on the Chrome Web Store.

The “Malicious11” campaign, discovered by cybersecurity researchers at Koi Security, represents one of the largest browser hijacking operations ever documented, exploiting the very trust signals users rely on to identify safe extensions.

The Perfect Trojan Horse Operation

The malicious extensions masqueraded as popular productivity and entertainment tools across diverse categories, including emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters, and YouTube unblockers.

What made this campaign particularly devious was that each extension delivered exactly what it promised while simultaneously implementing sophisticated surveillance and hijacking capabilities.

The investigation began when researchers analyzed “Color Picker, Eyedropper — Geco colorpick,” an extension with over 100,000 installs and 800+ reviews.

Despite appearing completely legitimate and maintaining verified status, the extension was secretly hijacking users’ browsers, tracking every website visit, and maintaining a persistent command and control backdoor.

Perhaps most concerning is how the malware was deployed. These weren’t malicious extensions from day one – they operated legitimately for years before becoming malicious through version updates.

The codebase of each extension remained clean, sometimes for years, before the malware was implemented through automatic updates that silently installed for over 1.7 million users.

“Due to how Google handles browser extension updates, these versions are auto-installed silently,” the researchers noted. “No phishing. No social engineering. Just trusted extensions with a quiet version bump.”

Sophisticated Browser Hijacking

The malware implements a sophisticated browser hijacking mechanism that activates every time users navigate to a new page.

Hidden within each extension’s background service worker is code that monitors all tab activity, capturing URLs and sending them to remote servers along with unique tracking identifiers.

This creates a massive persistent man-in-the-middle capability that can be exploited at any moment.

For example, users clicking Zoom meeting invitations could be redirected to fake pages claiming they need to download “critical updates,” or banking sessions could be intercepted and redirected to pixel-perfect replicas hosted on attackers’ servers.

The Malicious11 campaign exposes systemic failures in marketplace security. Google’s verification process failed to detect sophisticated malware across eleven different extensions, instead promoting several through verification badges and featured placement.

The attackers successfully exploited every trust signal users rely on – verification badges, install counts, featured placement, years of legitimate operation, and positive reviews.

Users should immediately remove any affected extensions, clear browser data to remove stored tracking identifiers, run full system malware scans, and monitor accounts for suspicious activity.

The incident highlights the urgent need for improved marketplace security mechanisms as threat actors evolve beyond individual attacks to create a comprehensive infrastructure that can remain dormant for years before activation.

This campaign represents a watershed moment in browser extension security, demonstrating how the current marketplace security model is fundamentally broken.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free