Suspicious extensions with 4 million installs discovered in Chrome Web Store

[nicolaasjan]

Content source

https://www.security.nl/posting/883837/Verdachte+extensies+met+4+miljoen+installaties+ontdekt+in+Chrome+Web+Store

(Dutch article)

Translated:

Researchers have discovered dozens of suspicious browser extensions in the Chrome Web Store that have a combined installation count of four million. And that's striking because the extensions are "unlisted," meaning they can't be found through the Chrome Web Store or search engines. The only way to get to these extensions is to know their URL.

In total, there are 35 extensions that ask for various permissions that allow them to access web traffic on all visited URLs, access stored cookies, manage browser tabs and execute scripts. According to a researcher from Secure Annex, it is clear that the extensions collect browser information, including visited websites.

The extensions claim to offer security and search-related features. Given the permissions and design of the extensions, the researcher has reported them to Google, so that the tech company can remove them from the Chrome Web Store. In addition, users of the extensions are urged to remove them from their systems.

 

[Captain Awesome]

Now days extensions are very worrisome. So I don't install any browers extensions on my banking pc.

​

 

[nicolaasjan]

Also here on Ars Technica:
Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs

 

[oldschool]

Also here on Ars Technica:
Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs

This piece actually gave more detail than the OP link.

 

[nicolaasjan]

This piece actually gave more detail than the OP link.

I saw it to late...

Most info is here Searching for something unknow

 

[harlan4096]

Application name: firefox.exe
Application path: C:\Program Files\Mozilla Firefox
Component: Web Threat Protection
Result description: Detected
Type: Trojan
Name: HEUR:Trojan.Script.Generic
Precision: Heuristic analysis
Threat level: High
Object type: File
Object name: index.BDU7bgiq.js
Object path: https:// secureannex . com/assets
SHA256 of an object: B0565EF711B5D80B9E742D2300025A755BE6BF0751C15E10C43A3C6FAE1316C2
MD5 of an object: A01DC79BEB90C8F4D4B3E77EAF367A76
Reason: Expert analysis
Databases release date: Today, 11/04/2025 11:40:00

 

[brambedkar59]

Same. I was about to post this.
"Reason: Expert analysis" This part is what concerns me.

 

[TairikuOkami]

I use only one Edge extension, but I have recently added extensions cleanup, just in case something sneaks in.

Spoiler

del "%LocalAppData%\Microsoft\Edge\User Data\Default\Extension Cookies" /s /f /q
del "%LocalAppData%\Microsoft\Edge\User Data\Default\ExtensionActivityComp" /s /f /q
del "%LocalAppData%\Microsoft\Edge\User Data\Default\ExtensionActivityComp-journal" /s /f /q
del "%LocalAppData%\Microsoft\Edge\User Data\Default\ExtensionActivityEdge" /s /f /q
del "%LocalAppData%\Microsoft\Edge\User Data\Default\ExtensionActivityEdge-journal" /s /f /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Extension Rules" /s /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Extension Scripts" /s /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Extension State" /s /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Local Extension Settings" /s /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Managed Extension Settings" /s /q
rd "%LocalAppData%\Microsoft\Edge\User Data\Default\Sync Extension Settings" /s /q

 

[nicolaasjan]

Same. I was about to post this.
"Reason: Expert analysis" This part is what concerns me.

I can assure you that I didn't link to a malicious website on purpose.

Anyone here who can read this 512KB script?

I see on VirusTotal that it was Kaspersky that marked it as HEUR:Trojan.Script.Generic
And Rising marked it as Stealer.Agent/JS!1.12736 (CLASSIC).

 

[SeriousHoax]

Weirdly if I load the site, it does not even connect to the domain. This asset was not loaded on my device on the site

"Reason: Expert analysis" This part is what concerns me.

This basically means that the heuristic signature that detected this file was created a human malware analyst, not automated signature or ML based detection. It doesn't necessarily mean that an analyst analyzed this exact file and created the detection. But some suspicious code in that file triggered the detection.
No detection from ESET on this file.

 

[harlan4096]

 

[SeriousHoax]

View attachment 288084

Yeah, this is where I learned this info

 

[brambedkar59]

I can assure you that I didn't link to a malicious website on purpose.

I believe you and I was not implying otherwise with my previous comment.

 

[harlan4096]

Hello,

Sorry, it was a false detection. It will be fixed.
Thank you for your help.
Sincerely
Malware Analyst

 

[SeriousHoax]

I can't reply to the above comment for whatever reason.
Anyway, false positive was my guess also as the script was not obfuscated and looked clean. Usually, such malicious javascripts are obfuscated. I also made ChatGPT, Gemini, Grok, DeepSeek analyze the script the other day and they thought it didn't have any potential malicious code (Of course AI tools can be wrong).

 

[nicolaasjan]

@harlan4096
Then I guess my link in the above post to secureannex[.]com can be fixed again?