Kaspersky Lab researchers uncovered a large malware distribution scheme tied to browser extensions in the official Chrome Web Store. In total, 34 dangerous extensions were identified, collectively downloaded about 87 million times. This finding surfaced through collaboration with an active security researcher network and a wider analysis effort reported by iXBT (Kaspersky Lab).
The chain of discovery began when Vladimir Palant flagged a PDF Toolbox extension in the Chrome Web Store. This extension quietly downloaded random code from a suspicious site to every page the user visited, raising red flags about potential impacts on search results and the insertion of unwanted advertisements. A follow‑up code review confirmed that the extension could alter how search results were displayed and inject ads into pages, a classic pattern seen in malicious browser tools (Kaspersky Lab).
Subsequent investigations revealed 33 additional extensions that shared a similar malicious core but offered different apparent functions, including file conversion, photo editing, and bookmark management. These extensions appeared in the Chrome Web Store during 2021 and 2022 and remained active for more than six months despite consistent negative user sentiment and feedback. The longevity of these items underscores how deceptive functionality can coexist with harmful behavior, deceiving users into installing them under seemingly legitimate pretenses (Kaspersky Lab).
Google responded by removing all detected extensions after the notification process, including Autoskip for YouTube, one of the most widely downloaded at over 9 million installations. Yet, those who had already installed the extensions were left to manually purge them from their browsers, a process that involves checking browser extensions, disabling suspicious ones, and confirming complete removal across all devices tied to the same account (Kaspersky Lab).
This episode serves as a cautionary example for users across North America, including Canada and the United States, where consumer cybersecurity remains a priority for both individuals and organizations. It highlights the ongoing risk posed by seemingly useful tools that carry hidden payloads and demonstrates the importance of vetting extensions before installation. For safer browsing, users should rely on official store listings, verify developer reputation, review recent feedback, and keep software and extensions up to date. In the event of suspicion, running an online security scan and removing suspect extensions can mitigate potential harm. Authorities and researchers continue to monitor the ecosystem, sharing findings to improve collective defense against evolving browser‑based threats (Kaspersky Lab).