Chrome Web Store Under Siege: 40+ Malicious Extensions Found Stealing Data

LayerX has uncovered more than 40 malicious browser extensions involved in three coordinated phishing campaigns—many still live on the Chrome Web Store—posing a significant risk to individuals and organizations alike.

The research, which builds upon earlier findings from the DomainTools Intelligence (DTI) team, exposes the inner workings of these campaigns and the alarming ease with which attackers infiltrate user browsers to steal data, impersonate identities, and compromise corporate networks.

“LayerX has identified over 40 malicious browser extensions that are part of three distinct phishing campaigns,” the report reveals.

Unlike sophisticated exploits targeting zero-day vulnerabilities, this campaign relies on deceptive branding and trusted platforms to lure users into voluntarily installing malicious tools. These extensions masquerade as:

• Fortinet VPN (FortiVPN)
• Calendly scheduling assistants
• Crypto utilities like DeBank and AML Sector
• AI productivity tools and YouTube helpers

“The extensions were carefully crafted to mimic well-known platforms… effectively bypassing user suspicion,” LayerX reported.

Each extension, once installed, grants threat actors persistent access to user sessions—allowing them to steal cookies, session tokens, inject malicious scripts, and even impersonate the user within enterprise environments.

LayerX researchers found that many of the extension landing pages were generated using AI tools, resulting in eerily uniform metadata and formatting across dozens of entries.

“The malicious extension pages exhibited a highly similar structure… pointing to the likelihood that they were auto-generated using AI tools,” the researchers noted.

Moreover, attackers registered lookalike domains (e.g., calendly-daily[.]com, aiwriter[.]expert, crypto-whale[.]top) and used matching emails like support@domain-name to appear legitimate.

Unlike malicious apps removed from the Chrome Store, these extensions can remain active on user browsers indefinitely if not manually deleted.

“Removal from the store does not remove active installations from users’ browsers,” LayerX warned.

With corporate employees increasingly relying on browser-based tools, these extensions act as silent backdoors into cloud applications, sensitive documents, and session-protected data.

LayerX recommends several actionable defenses against this rising browser threat:

1. Enforce Extension Hygiene:
   • Block extensions from unknown or unverified publishers.
   • Restrict recently published extensions with low reviews or suspicious permissions.
   • Monitor for extensions using spoofed brand names or suspicious domains.
2. Block by Extension ID:
   • Use MDM or browser policy enforcement to block known malicious extension IDs (provided in LayerX’s full report).
3. Ongoing Browser Security Monitoring:
   • Implement tools that continuously assess extension behavior, risk, and policy compliance.

Related Posts:

• Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users
• 3.2 Million Users Exposed by Malicious Browser Extensions
• Malicious Chrome Extension Infects Over 100,000 Users
• New Chrome and Firefox malicious extensions prevent user removal to hijack browsers
• Microsoft Edge for Android: Extension Support Finally Arrives