A recent report by Experis Cyber has uncovered a disturbing cybersecurity threat: several popular Google Chrome extensions — downloaded by over 2.3 million users — have been exposed as spying tools.
The weekly report, shared with the firm’s clients, reveals that nearly a dozen widely used extensions—offering features like VPN services, volume control, emoji keyboards, and more—secretly tracked user activity and transmitted the data to external servers. In some cases, users were even redirected to suspicious websites.
The discovery was made by researchers at Koi Security, who identified malicious code embedded within the extensions and reported their findings to Google. While some of the extensions have since been removed from the Chrome Web Store, others remain available — some still carry Google's verification badge, boast hundreds of positive reviews, and appear prominently in search results.
Extensions flagged as malicious include:
Geco Color Picker
Emoji Keyboard Online
Free Weather Forecast
Volume Max
Unlock Discord VPN
Unlock TikTok
Dark Theme
Unlock YouTube VPN
One of the extensions, Volume Max, had previously raised suspicions but has now been definitively confirmed to contain spyware.
According to the report, the malicious code runs silently in the background, collecting every URL visited by the user and sending it—along with a unique user identifier—to remote servers. While no active redirections to malicious sites have been recorded so far, researchers warn that the potential for such actions is built into the code.
Even more concerning is the fact that many of these extensions were initially safe and widely trusted. Experts believe that hostile actors may have acquired or hijacked the extensions at a later stage, injecting malicious code without users' knowledge. Because Chrome extensions update automatically, users were unaware that the software they trusted had been compromised.
Experis Cyber also noted that similar threats have been found in the Microsoft Edge Add-ons store, with over 600,000 additional downloads of the same malicious extensions. This marks one of the most severe browser extension hijacking incidents to date.
Roman Malkov, SOC Manager at Experis Cyber, warned:
“This case shows how even extensions that appear legitimate—even verified by Google—can pose a serious risk to user privacy. The scale of this incident is particularly alarming.”
Malkov urges both individual users and organizations to regularly audit installed browser extensions, keep security systems up to date, and deploy specialized protections such as email safeguards.
“The combination of stealth tracking and distribution through trusted platforms is a red flag. Swift and proactive responses are essential—for everyone,” he concluded.
