Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History

The Chrome Web Store’s open model has become a fertile ground for threat actors, who embed covert data‑stealing modules behind seemingly benign functionality. Recent investigations reveal that malicious add‑ons now target high‑value assets such as Meta Business Suite, leveraging overly broad permissions to capture two‑factor authentication seeds, user CSV exports, and ad‑account details. This trend mirrors a broader shift toward browser‑centric espionage, where attackers exploit the trust users place in extensions to bypass traditional endpoint defenses.

Four distinct campaigns illustrate the breadth of the problem. The CL Suite extension quietly relayed Meta Business analytics to a remote server, while the VK Styles suite compromised half a million Russian‑speaking users by hijacking account tokens via hidden metadata resolvers. Simultaneously, the AiFrame network of 32 AI‑assistant extensions injected full‑screen iframes that harvested Gmail content and speech transcripts, funneling them to attacker‑controlled backends. A separate cohort of 287 extensions, collectively installed on 37 million devices, sold browsing histories to data brokers, effectively turning everyday browsing into a commodity.

Mitigating this threat requires a layered approach. Organizations should enforce strict allow‑listing of extensions, regularly audit permissions, and isolate sensitive workflows in dedicated browser profiles or hardened containers. Security teams must monitor network traffic for anomalous outbound connections to known malicious domains such as getauth.pro and tapnetic.pro. As browser ecosystems evolve, continuous threat intelligence and user education will be essential to curb the rise of extension‑borne espionage and protect both corporate data and personal privacy.