The browser extensions you trusted may be spying on you

As of October 2023, many of the most popular browser extensions, which numerous users utilize every day as reliable sources, have been found to be potentially vulnerable to exploitation by cybercriminals for nefarious intent. Cybercriminals have also been found to be using Sony's "Sleeper Extensions," which activate only when the attacker activates them, enabling these attackers to gather information on how users browse the Internet.

The majority of these extensions are aimed at aiding users with user-friendly features like ad blocking, translating content, and downloading videos; however, after analyzing several of them, it is clear that many of these features are being repurposed and redesigned in order to enable attackers to collect data on how users are browsing the Web, create or develop user profile information, and ultimately to perpetrate their attacks

Sleeper extensions explained

A sleeper extension is a sneaky browser add-on that looks perfectly legit for ages, sometimes years even, before suddenly going rogue after a quiet update, often to the point where users are completely fooled. It's a clever tactic that lets the bad guys escape detection from browser reviews, security scans, and user suspicion for an awful long time. Researchers have found a link between ShadyPanda, GhostPoster, and Zoom Stealer, all of which are thought to be connected to a group of cybercrooks called DarkSpectre. And what's quite ominous is that these campaigns have gone way further than anyone would have expected, hitting all the major browsers: Chrome, Microsoft Edge, and now even Firefox.

Firefox is pulled in on the GhostPoster campaign

Back in December 2025, security experts pored over the code and found GhostPoster, a nasty little campaign that initially targeted Microsoft Edge users but soon bugged Chrome and Firefox too. And here's the worrying part: 17 malicious Firefox extensions, each with more than 50,000 downloads, were involved.

What made GhostPoster stand out from its peers is how it used steganography, a sneaky technique that hides malicious JavaScript code inside image files like extension logos. Early versions would just dump the code into PNG icons with a bit of a giveaway, but newer ones got even more tricky, scattering their payload across multiple image files and only decoding it when the code was in use, which made it that much harder to sniff out.

You see, this method makes detection a total nightmare even for experienced researchers. Further digging turned up 17 more extensions linked to the same shenanigans. That brings the total number of downloads to a staggering more than 840,000, and horror of horrors, some of these add-ons were going undetected for as long as up to five years before being exposed.

Familiar names, hidden dangers

A lot of malicious extensions were being sold under names that looked harmless or like they'd actually do you a favor. There was Ads Block Ultimate, Google Translate built right into your right-click menu, Instagram Downloader, YouTube Downloader, Full Page Screenshot, and RSS Feed. All of these extensions came through the official browser stores, so users thought they were safe to use.

What data can these extensions dig up on you?

When you install these extensions, they get to watch what websites you visit, what you search for online, and your shopping and browsing habits. This amounts to a pretty detailed picture of you and what you're up to. Researchers are saying that this level of access could eventually be used for stealing your login credentials, hijacking your online sessions, or launching attacks on your banking even though that might not be what the extension is supposed to do right now.

Just removing them isn't the solution

Mozilla, Microsoft, and Google have yanked the extensions that were found to be malicious out of their stores. But if you already have them installed, then nothing's changed until you manually delete them. That's a pretty big gap. Users often assume that just because a dodgy extension has been removed from the store, it means they're in the clear, but that just isn't true.

A trend to be worried about across browsers

The Firefox revelations have also been accompanied by a separate case where a fake Chrome ad blocker was causing random crashes in browsers. What's more, the fake ad blocker was tricking users into installing a remote access trojan called ModeloRAT. Both of these cases, including the one with CrashFix, show the same pattern. These guys are using trusted extension systems to their advantage, cloning real tools, and preying on user frustration or laziness to get what they want.

Reducing Your Browser Extension Risk

Security experts advise being super careful when installing browser extensions. That means keeping an eye on what's already installed and jettisoning any that are no longer needed, being super skeptical of add-ons that demand broad permissions without any real obvious reason for doing so, and keeping an eye out for extensions that suddenly start acting funny, requesting new permissions, or just plain acting weird. You are also wise to run a good security software program and do some deep scanning if something starts to smell fishy.

Official app stores are a safer bet than digging around in third-party download sites, but let's be clear: those official stores are not immune to problems.

Why This Matters

Browser extensions have access to all sorts of sensitive stuff in your online life, so if one gets compromised, the bad guys get a great view into all your daily online doings. And now, because of these 'sleeper extension' campaigns, we're seeing this is not just a Chrome thing, it's a whole browser-ecosystem problem.

The reality is this: even stuff you've always trusted can change in an instant, and now we can't just trust extensions blindly like we used to. It's a security problem that's going to take some getting used to.

More For You 

Using Chrome? Google says update now to avoid new security risks

How to Bulletproof Your Android Phone Against Theft: Android Theft Protection 2026 Guide

This New Windows Malware Hides in Plain Sight to Install Remcos RAT

Good News for Fans: Ubisoft Hack Unlikely to Delay Prince of Persia or Black Flag Remakes