Security researchers report a long‑running campaign using malicious browser extensions has impacted roughly 4.3 million users, deploying backdoors and spyware to harvest credentials and exfiltrate data. Although stores have removed many offending add‑ons, researcher warnings emphasize that attacker infrastructure and installed persistence remain risks.

A widespread operation distributing malicious Chrome and Edge extensions has reportedly infected an estimated 4.3 million users, according to cybersecurity reporting. The extensions masqueraded as benign utilities, wallets or productivity tools while delivering backdoors, keyloggers and spyware capable of exfiltrating saved passwords, cookies and form data. Researchers found command‑and‑control infrastructure that issued updates and additional payloads, enabling lateral escalation and persistence on compromised hosts. Major extension storefronts removed numerous flagged add‑ons, but incident responders warn that many users still have malicious code installed and that attacker backends remain operational to harvest data from infected installations. Recommended mitigations include auditing installed extensions, removing untrusted add‑ons, rotating exposed credentials and running endpoint scanning and remediation. Organizations are urged to enforce extension allowlists, deploy browser telemetry monitoring and educate users about the risks of installing unvetted plugins. The incident highlights supply‑chain and distribution risks in browser ecosystems where seemingly small add‑ons can become large‑scale espionage and fraud platforms.