The browser is the most-trusted application on most people’s computers. It also runs an arbitrary collection of third-party JavaScript installed via extensions, most of which the user accepted with one click and forgot. In 2026, malicious extensions remain one of the highest-yield, lowest-effort attack vectors against individuals, and a lot of them are sitting in your toolbar right now.
How a malicious extension actually monetises
The bad ones don’t usually start bad. The most common pattern in 2026 is the same one we’ve seen for five years: a small, useful extension (a screenshot tool, a colour picker, a tab manager) gets organic users, accumulates positive reviews, and then either sells to a sketchy buyer or quietly accepts a sponsorship deal that lets a third party push code through the auto-update channel. The new code adds tracking, injects affiliate parameters into your shopping links, harvests cookies, or steals session tokens for high-value sites.
From the user’s perspective nothing changes. The extension still does what it advertised. The malicious behaviour is invisible.
What “all your data on all websites” actually means
The Chrome and Firefox stores show you a permission summary at install time. The single permission to watch is “read and change all your data on all websites.” That’s not a phrase. That’s the keys to the kingdom, the extension can read every page you visit, modify any form input, intercept any network request, and access cookies for any domain.
An extension with that permission and a malicious update can read your bank balance, copy your auth tokens, and post arbitrary content to your social accounts in the time it takes you to refresh a tab. There are perfectly legitimate reasons an extension needs this permission (password managers, ad blockers, accessibility tools). There is no legitimate reason a “PDF converter” or “tab counter” needs it.
Five signs an extension is or will become hostile
1. Recent ownership change. Chrome doesn’t surface this clearly, but if the developer name in the store has changed, treat the extension as a brand-new install. Most malicious updates land within the first six months of a sale.
2. Permissions that don’t match the function. If a calendar widget wants access to all websites, that’s a finding. Read the permission list before installing, every time.
3. Aggressive growth in a short window. Extensions that explode from 5,000 to 500,000 users in a quarter are sometimes legitimately viral and sometimes purchased growth funnels. Hesitation is appropriate.
4. Privacy policy links to a domain registered last week. Free domain-registration whois lookups take ten seconds. A “privacy policy” hosted on a recently-registered domain is a red flag.
5. Recent reviews complaining about strange behaviour. Users notice when an extension starts injecting ads or redirecting searches. Sort reviews by newest, not most relevant.
The 5-minute audit to run today
Open chrome://extensions (or about:addons in Firefox). Sort by name. For each one, ask three questions: do I still use this, does it have the permission scope I expect, and was it published by who I thought published it? Remove anything that fails any of those. Most people remove between three and six extensions on the first pass.
For the survivors, enable site-restricted access where possible. Right-click the extension icon and choose “On click” or “On specific sites” instead of “On all sites.” It limits the blast radius if the extension turns hostile later.
Tools that help
CRXcavator (now folded into a few open-source successors) and ExtensionTotal score extensions on permissions, code quality, and reputation signals. Run any extension you’re considering through one of them before installing. The output isn’t a guarantee, but it catches the obvious cases.
None of this requires expertise. It requires the willingness to spend five minutes per quarter on the part of your computer that has the most direct access to your life.