130k users hit by fake extensions
- At least 12 malicious browser extensions disguised as TikTok downloaders compromised about 130,000 Chrome and Edge users. - Researchers reported roughly 12,500 active infections remained when the campaign was disclosed. - The incident highlights marketplace vetting, post-install telemetry and fast-remediation workflows as key defenses (gbhackers.com).
A cluster of fake TikTok downloaders on Chrome and Edge quietly stole data from about 130,000 users before researchers exposed it this week. (layerxsecurity.com) LayerX said it found at least 12 related extensions published through the Chrome Web Store and Microsoft Edge Add-ons store, with about 12,500 installations still active when the company disclosed the campaign on April 20, 2026. (layerxsecurity.com) Browser extensions are small add-ons that can read pages, inject code, and automate tasks inside a browser. Chrome’s developer documentation says host permissions can let an extension read tab data, inject scripts, monitor requests, and access cookies on matching sites. (developer.chrome.com) LayerX said these downloader tools worked as advertised at first, then used the same shared codebase to track browsing activity and collect data. The company said the extensions typically behaved normally for six to 12 months before malicious features appeared. (layerxsecurity.com) That delay helps explain how browser marketplaces can miss abusive add-ons during initial review. Chrome’s documentation says extensions requesting access to all sites can face longer review, but the permission still allows broad reach once approved. (developer.chrome.com) The campaign also shows why store approval is not the same as ongoing safety. Google said earlier Chrome protections use Safe Browsing to disable malicious extensions, while Microsoft says organizations can centrally allow or block extensions and permissions through Edge policies. (blog.google) (learn.microsoft.com) For companies, the practical problem is that an employee can install a harmless-looking downloader and give it access to work tabs, internal tools, and session data. Microsoft’s Edge management guide says administrators can set global policies to allow or block extensions based on requested rights and permissions. (learn.microsoft.com) LayerX described the operation as a long-running campaign by the same threat actors, built from cloned or lightly modified versions of the same extension. The report did not identify the operators by name. (layerxsecurity.com) The immediate cleanup step is simple but incomplete: remove the extension. The harder part is what comes after, because a tool that had access to tabs, requests, or cookies may have already collected data long before users saw any warning. (developer.chrome.com)
