Overview
- Koi Security cataloged 145 malicious extensions spanning Chrome and Edge with more than 4.3 million installs in a multi‑year operation.
- Google removed many items after disclosure, but researchers say at least five Edge extensions are still live, including one with roughly three million installs.
- The campaign escalated from 2023 affiliate‑fraud add‑ons to early‑2024 modules that hijacked searches and harvested cookies.
- Five legacy extensions from 2018–2019 were later updated with a backdoor enabling remote code execution and extensive telemetry exfiltration.
- Researchers cite active data collection by items tied to developer names such as Starlab Technology, including examples like WeTab that reportedly transmit browsing data in real time.