Two Browser Add-Ons Had Access to Your Logins — And No One Noticed

Security researchers discovered that two Chrome extensions secretly harvested credentials from more than 170 websites.

Security researchers have uncovered two malicious Chrome browser extensions that quietly stole login credentials from users across over 170 popular websites. The extensions appeared legitimate and offered common functionality, which allowed them to remain installed on thousands of systems without raising suspicion.

The malicious extensions requested broad permissions during installation, including access to website content and browsing activity. Once installed, they monitored user interactions on login pages and captured usernames and passwords as users typed them. As a result, credentials for email accounts, social media platforms, developer tools, and business services were exposed.

Researchers found that the stolen data was transmitted to attacker-controlled servers in near real time. The extensions blended their network traffic with normal browser activity, which made detection difficult. Consequently, traditional endpoint security tools often failed to flag the behavior as malicious.

The attack highlights a recurring problem in browser security. Many users trust extensions from official marketplaces without closely reviewing permissions or developer reputation. Attackers exploit this trust by publishing extensions that appear helpful while hiding malicious logic inside obfuscated code.

Once attackers collect credentials, they can launch follow-on attacks such as account takeovers, identity theft, and business email compromise. For enterprise users, compromised browser credentials may also provide access to internal dashboards, cloud consoles, and collaboration platforms.

Browser extension ecosystems remain attractive targets because extensions operate inside trusted user sessions. Unlike phishing emails, malicious extensions do not rely on repeated user interaction after installation. Therefore, attackers gain persistent access with minimal effort.

Security experts recommend reviewing installed browser extensions regularly and removing any that are unnecessary or unfamiliar. Users should pay close attention to permission requests and avoid extensions that require access to all websites without a clear reason. Organizations should also enforce extension controls through browser management policies.

Overall, the discovery reinforces an important lesson. Browser extensions can pose the same risk as malware when abused. Strong extension hygiene and user awareness remain essential to protecting credentials in modern web environments.