How many Chrome extensions were found spying on users in 2025?

A researcher found 287 Chrome extensions with 37M+ combined installs exfiltrating browsing history to data brokers. A separate campaign compromised 36+ extensions via developer account phishing in December 2024.

How do malicious actors take over legitimate browser extensions?

They purchase popular extensions from original developers, then inject data-harvesting code into automatic updates. The 'ShadyPanda' campaign used this method for 7 years, affecting 4.3M users via 18 compromised extensions.

Can a browser extension steal cryptocurrency?

Yes. In December 2025, Trust Wallet's Chrome extension version 2.68 was compromised via a leaked Chrome Web Store API key, exfiltrating seed phrases and enabling approximately $7M in crypto theft.

Is Firefox safer than Chrome for browser extensions?

Mozilla's Recommended extensions program requires readable source code submission and manual update review before publication, contrasting with Chrome's lax automated curation.

How can I check if my Chrome extensions are malicious?

A daily-updated database of 1000+ known malicious extensions exists (Show HN: toborrm9, Feb 2026) with CLI and GUI tools for local verification. Minimizing total extensions and auditing permissions are the primary recommended mitigations.

← Back to dashboard

clawsmith.com/signal/chrome-extension-spying-supply-chain-287-extensions

⚠ IssueUnderservedbrowser_extensionLive

287 malicious Chrome extensions with 37M installs caught silently exfiltrating browsing history

Researcher found 287 Chrome extensions (37M+ combined installs) secretly exfiltrating browsing history to data brokers. Separate December 2024 supply chain attack compromised 36+ trusted extensions via phishing. 'ShadyPanda' campaign quietly hijacked extensions over 7 years via silent updates. Trust Wallet extension stolen in Dec 2025, draining $7M. Platform negligence creates a systemic vulnerability.

Product Idea from this Signal

A browser extension that audits all other installed Chrome extensions for permission changes, ownership transfers, and silent code updates that match known supply-chain attack patterns

679 ▲

287 Chrome extensions with 37 million combined installs were caught silently exfiltrating browsing history to data brokers, and a December 2024 supply-chain campaign phished developers to compromise 36 trusted extensions in a single wave. The attack surface is invisible to users: legitimate extensions get acquired or updated post-install and start exfiltrating without triggering any browser warning. This tool sits inside Chrome and continuously watches every installed extension for the three attack vectors that recur across every documented incident: new permissions added in an update, a developer-account ownership transfer to a new entity, and code pattern changes that match known exfiltration signatures from the 287-extension dataset.

BROWSER-SECURITYSUPPLY-CHAINCHROMEPRIVACYEXTENSION-AUDIT

Competitive24 leadsView Opportunity →

Score Breakdown

679

Social Proof 1 sources

Chrome extensions spying on users' browsing data (287 extensions, 37M installs exfiltrating browsing history)

2/17/2026

679

Gap Assessment

UnderservedExisting solutions leave gaps

Daily-updated malicious extension databases exist (Show HN, 17 pts) and Mozilla vets better, but no real-time Chrome extension integrity layer or user-level audit tool with traction.

Frequently Asked Questions

Virality Score

679

across 0 platforms

Details

Signalissue

Ecosystembrowser_extension

Sources1

Platforms0

Updated2h ago

Trend→ stable

Top ideas

All ideas →

0A mobile app that detects and removes AI-generated tracks from your Spotify playlists before you hear them 0A web app that tracks AI coding tool spend across Copilot, Claude Code, and Cursor, normalized per commit and per PR 0A browser extension that monitors installed extensions for ownership transfers, permission scope changes, and suspicious outbound data requests in real time

Related signals

All signals →

2.8KHoney browser extension exposed for affiliate link hijacking and creator fraud 659AI power users forced to re-explain context to every LLM tool — browser extension memory layer demand 449Chrome Manifest V3 sunset kills uBlock Origin, stranding 40M+ users