The Growing Risk of Malicious Browser Extensions

Are you sure your browser extensions are safe?

Socket’s Threat Research Team conducted an in-depth investigation into how seemingly benign browser extensions, available in trusted stores like Mozilla’s Add-ons, are increasingly weaponized to hijack user sessions and manipulate content. Often overlooked, these extensions pose a serious risk to software supply chain integrity, user trust, and organizational security.

Our analysis revealed malicious browser extensions exploiting standard browser permissions to facilitate scams, redirect traffic, and artificially inflate engagement metrics. Here's a sample of what we found:

• Shell Shockers io uses chrome.windows.create to launch deceptive Apple-style popups, redirecting users to tech support scam pages designed to extract financial or personal information.
• Wikipedia engelsiz giris employs chrome.webRequest.onBeforeRequest to redirect Wikipedia traffic through a proxy domain. While intended to bypass censorship in Turkey, the proxy itself had documented security vulnerabilities, demonstrating how even well-intentioned redirects can expose users to risk.
• Other extensions that artificially inflate social media metrics by automatically scrolling pages and clicking "like" buttons at set intervals, thereby skewing analytics and compromising platform authenticity.

Browser Extensions are Now a Mature Threat Vector#

Browser extensions have become an integral part of our daily web experience. From ad blockers and password managers to productivity tools and shopping assistants, they provide users with convenience and powerful functionalities. But this convenience comes with a hidden cost: malicious actors are increasingly exploiting the trust we place in these small programs to compromise our security and privacy.

In June 2025, security researchers uncovered “Operation Phantom Enigma,” a malicious campaign where browser extensions infected 722 users across Latin America, targeting Brazilian banking customers and bypassing two-factor authentication to steal banking credentials. This demonstrates how trusted browser add-ons can be exploited for financial fraud.

Why Browser Extension Security Matters#

Extensions are inherently popular but carry hidden risks. Once installed, they operate with significant privileges that make them attractive to attackers:

• Data Exfiltration: Stealing cookies, browsing history, passwords, and authentication tokens.
• Keylogging: Capturing every keystroke, including sensitive financial information.
• Screen Capture: Capturing screenshots containing confidential data.
• Network Interception: Monitoring and modifying web traffic, including secure HTTPS communications.
• Cryptocurrency Theft: Redirecting crypto transactions in real-time.
• Browser Hijacking: Injecting ads or redirecting traffic to malicious sites.
• Remote Access: Creating persistent backdoors for continuous exploitation.
• Identity Theft: Harvesting personal details for fraudulent activities.

According to GitLab Security's February 2025 Threat Intelligence Report, malicious extensions impacted at least 3.2 million users. The true scale is likely higher, with many infections remaining undetected.

What We Found: Malicious Extensions in the Wild#

The rising wave of malicious browser extension attacks prompted Socket's Threat Research Team to dig deeper into this growing threat vector. We began with Mozilla extensions since their code is easier to access and examine for threats. This research is an initial exploration into browser extension security, with plans to expand our analysis and offer browser extension scanning capabilities in the near future. Here's what we uncovered:

1. Popup Hijacking

Mozilla browser extension Shell Shockers io by author mre1903

A seemingly harmless gaming extension, Shell Shockers io , previously redirected users to betting websites and currently is redirecting users to tech support scam websites through hidden popups. These malicious pages impersonate Apple security warnings, displaying fake virus alerts and error codes (such as "Error: 0x800VDS" and "Error_code: 2v7HgTvB") to social-engineer users into calling fraudulent support numbers.

chrome.runtime.onInstalled.addListener(function() {
  chrome.windows.create({
    'url': 'hxxps://funformathgame[.]com/shell-shockers-io/',
    'type': 'popup',
    width: 1336,
    height: 700
  });
});

In the above code snippet, users are redirected to tech support scam pages that impersonate legitimate security warnings from Apple or other vendors. These scam sites display fake virus alerts and system errors to create panic, pressuring users to call fraudulent support numbers. This not only disrupts the browsing experience but can lead to financial fraud, identity theft, or malware installation if users engage with the scammers.

2. Risky Redirects

Mozilla browser extension wikipedia engelsiz giris by author Mehmet Tamac

The extension "Wikipedia engelsiz giris" (which translates to "Unrestricted Wikipedia Access") redirects Wikipedia traffic to an alternative domain:

chrome.webRequest.onBeforeRequest.addListener(
  function(details) {
    return {redirectUrl: "hxxps://tr[.]0wikipedia.org" + details.url.match(/(^https?:\/\/[^\/]+([\S\s]*))/)[1]};
  },
  { urls: ["*://tr.wikipedia.org/*"] },
  ["blocking"]
);

This extension actually does what it advertises—providing access to Wikipedia in Turkey, where it was blocked from 2017 to 2020. The extension redirects users to tr[.]0wikipedia[.]org, a proxy service designed to circumvent censorship. However, this highlights a critical security concern: even well-intentioned browser extensions that redirect traffic can expose users to risks. The proxy domain itself was found to have cross-site scripting vulnerabilities, potentially exposing users to attacks.

While this specific case serves a legitimate purpose, it demonstrates how browser hijacking techniques, even when used for circumventing censorship can inadvertently compromise user security.

3. Metrics Manipulation

Some extensions manipulated user engagement metrics on platforms like Facebook by artificially inflating likes and views.

var handle = setInterval(function() {
  if (viewUrls.indexOf(window.location.href) >= 0) {
    var scrollPixels = randomIntFromInterval(50, 500);
    window.scrollBy(0, scrollPixels);

    if (document.querySelectorAll('[aria-label="Like"]')[likeIndex]) {
      document.querySelectorAll('[aria-label="Like"]')[likeIndex].click();
    }
  }
}, viewSeconds * 1000);

The above code generates fake interactions (likes, clicks, views), as well as skews analytics, harming businesses and user trust.

High-Impact Threat Activity: Malicious Chrome Extension Sold for $100,000#

Threat actor rivemks is selling a fully featured malicious Chrome extension on the dark web forum for $100,000. The sale includes full source code and embedded functionality to bypass Google Chrome Web Store moderation.

According to the listing, this extension combines multiple attack vectors:

• Information Theft: Exfiltrates browser cookies in JSON format every 15 minutes, captures all submitted form data including masked passwords, and gathers system fingerprinting data.
• Cryptocurrency Theft: API-based crypto drainer via JavaScript injections, activated on all external link clicks.
• Stealth Control: hVNC (hidden virtual network computing) functionality for covert remote interaction, real-time tab monitoring, and periodic screenshot capture.
• Persistent Botnet Capability: Can deliver push notifications or CSS overlays with attacker-controlled content, sends event alerts to Telegram.

The threat actor claims over 100 extensions using this framework have successfully bypassed Chrome Web Store moderation, with over 30,000 bots already deployed.

This escalation, from simple redirects and popup hijacks, to backdoors using browsers as comprehensive attack platforms, is significant.

How to Protect Yourself#

Protecting against malicious browser extensions requires vigilance. Before installing any extension, carefully review the permissions it requests and be especially skeptical of those wanting access to "all websites" when their functionality does not require it.

Verify the developer by checking their name, other published extensions, and recent reviews; unknown developers with single extensions should raise red flags. While official stores provide some vetting, always check recent reviews for mentions of suspicious behavior, even for previously trusted extensions that may have been sold or compromised.

Keep your extension footprint minimal by only installing what you actively use and conducting regular audits to remove anything unfamiliar or unused. Watch for warning signs like unexpected popups, browser slowdowns, or redirects after installation, as these often indicate compromise.

Conclusion#

Malicious browser extensions represent a growing and sophisticated threat vector. What started as simple adware has evolved into advanced malware capable of stealing credentials, draining cryptocurrency wallets, and establishing persistent backdoors.

The examples we uncovered, from Wikipedia redirects to the $100,000 "rivemks" malware framework, demonstrate the range of threats lurking in browser extension stores. Regular scanning combined with user education is crucial for staying protected.

Indicators of Compromise (IOCs)

Malicious domains identified:

• funformathgame[.]com

Malicious authors

• mre1903

Extensions

• Shell Shockers io