Massive browser hijacking campaign infects 2.3M Chrome, Edge users

H

HarborFront

Level 73
Thread author
Verified
Top Poster
Content Creator
Forum Veteran
Oct 9, 2016
6,210
23,128
7,179
Far East
Content source
https://www.theregister.com/2025/07/08/browser_hijacking_campaign/

These extensions weren't malware-laced from the start, researcher says


A Chrome and Edge extension with more than 100,000 downloads that displays Google's verified badge does what it purports to do: It delivers a color picker to users. Unfortunately, it also hijacks every browser session, tracks activities across websites, and backdoors victims' web browsers, according to Koi Security researchers.

Color pickers let users select any color from a website and copy it into a clipboard for later use - helpful for designing apps, websites, and the like. This particular extension from Geco is still available for download via both Microsoft's and Google's respective stores at press time. Neither company responded to The Register's inquiries, but we will update this story if that changes.

The Geco extension has more than 800 reviews on the Chrome Web Store, 4.2 stars (out of 5), and "featured" placement. Microsoft's Edge Add-ons shows similarly glowing write-ups from its 1,000-plus users, and it looks like a perfectly safe extension.

"This isn't some obvious scam extension thrown together in a weekend," said Koi Security analyst Idan Dardikman in a Tuesday blog. "This is a carefully crafted Trojan horse."

Read more below

www.theregister.com

Browser hijacking campaign infects 2.3M Chrome, Edge users

updated: These extensions weren't malware-laced from the start, researcher says
www.theregister.com www.theregister.com

Affected Extension IDs

Chrome:

  • kgmeffmlnkfnjpgmdndccklfigfhajen — [Emoji keyboard online — copy&past your emoji.]
  • dpdibkjjgbaadnnjhkmmnenkmbnhpobj — [Free Weather Forecast]
  • gaiceihehajjahakcglkhmdbbdclbnlf — [Video Speed Controller — Video manager]
  • mlgbkfnjdmaoldgagamcnommbbnhfnhf — [Unlock Discord — VPN Proxy to Unblock Discord Anywhere]
  • eckokfcjbjbgjifpcbdmengnabecdakp — [Dark Theme — Dark Reader for Chrome]
  • mgbhdehiapbjamfgekfpebmhmnmcmemg — [Volume Max — Ultimate Sound Booster]
  • cbajickflblmpjodnjoldpiicfmecmif — [Unblock TikTok — Seamless Access with One-Click Proxy]
  • pdbfcnhlobhoahcamoefbfodpmklgmjm — [Unlock YouTube VPN]
  • eokjikchkppnkdipbiggnmlkahcdkikp — [Color Picker, Eyedropper — Geco colorpick]
  • ihbiedpeaicgipncdnnkikeehnjiddck — [Weather]
Edge:

  • jjdajogomggcjifnjgkpghcijgkbcjdi — [Unlock TikTok]
  • mmcnmppeeghenglmidpmjkaiamcacmgm — [Volume Booster — Increase your sound]
  • ojdkklpgpacpicaobnhankbalkkgaafp — [Web Sound Equalizer]
  • lodeighbngipjjedfelnboplhgediclp — [Header Value]
  • hkjagicdaogfgdifaklcgajmgefjllmd — [Flash Player — games emulator]
  • gflkbgebojohihfnnplhbdakoipdbpdm — [Youtube Unblocked]
  • kpilmncnoafddjpnbhepaiilgkdcieaf — [SearchGPT — ChatGPT for Search Engine]
  • caibdnkmpnjhjdfnomfhijhmebigcelo — [Unlock Discord]

"No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance malware," the blog warns. ®
Click to expand...
 
Last edited by a moderator:
  • Like
  • Applause
  • Hundred Points
Reactions: brambedkar59, Brownie2019, Sorrento and 8 others
This attack method is well-known and sneaky. I saw some old MT posts about it. If I correctly recall, @cuelsister mentioned it in the past.
 
  • +Reputation
Reactions: simmerskool
None of the mentioned extensions are currently available on Edge Add-on Store and Chrome Store.
Although the author of the article did not mention it, one Add-on was removed a few years ago:

1752071357839.png


The rest were removed from Chrome Store in July 2025. from September 2024 to July 2025. I could not confirm the removal date in the Edge Add-on Store.

Post corrected.
 
Last edited:
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, simmerskool, Jonny Quest and 1 other person
You must log in or register to reply here.