Chrome Web Store Breach Shows Why We Can’t Trust Extension Marketplaces

I spent most of yesterday morning helping a client deal with the aftermath of compromised browser extensions, so when I saw that over 100 malicious Chrome extensions had been discovered in Google’s official Web Store, I wasn’t exactly shocked. But the scale of it? That caught my attention.

These weren’t some sketchy extensions hiding in dark corners of the internet. They were sitting right there in Google’s supposedly vetted marketplace, actively stealing OAuth2 Bearer tokens, deploying backdoors, and running ad fraud operations. It’s a stark reminder that the “official” stamp of approval means less than we’d like to think.

The Extension Problem We’ve Been Ignoring

Here’s what bothers me most about this Chrome extension situation: we’ve been treating browser extensions like they’re harmless productivity tools when they’re actually running with significant privileges in our most critical workspace. Think about it – your browser is where you access email, cloud storage, banking, internal company systems. An extension with the right permissions can see and modify everything.

The attackers behind these 100+ malicious extensions understood this perfectly. They weren’t just going after random user data; they were specifically targeting Google OAuth2 tokens. Get those, and you’ve got persistent access to Google Workspace accounts, which for many organizations means access to everything that matters.

What makes this particularly insidious is how these extensions likely operated. They probably started as legitimate-looking productivity tools – PDF converters, ad blockers, shopping helpers – things people actually want. Then, either through updates or hidden functionality, they began their real work of credential harvesting.

Meanwhile, EDR Systems Under Direct Attack

While we’re dealing with extension-based attacks, threat actors are also getting more sophisticated about disabling our detection capabilities entirely. The expansion of EDR-killer ecosystems using BYOVD techniques represents a fundamental shift in how attackers approach endpoint security.

BYOVD – Bring Your Own Vulnerable Driver – attacks are particularly clever because they use legitimately signed drivers that happen to have security flaws. Since these drivers are properly signed, they sail right past most security controls. Once loaded, attackers can use them to disable EDR agents, modify system configurations, or establish persistence at the kernel level.

The really concerning part is how this has evolved from isolated techniques to full ecosystems. We’re seeing toolkits that automate the process of finding, deploying, and exploiting vulnerable drivers. It’s becoming commoditized, which means we’ll see it in more hands than just advanced persistent threat groups.

Patch Tuesday Brings Record-Breaking Updates

Speaking of things that need our immediate attention, this month’s Microsoft Patch Tuesday is being called a record-breaker, though the details are still being analyzed. When Microsoft releases an unusually large batch of patches, it usually means one of two things: either they’ve been stockpiling fixes for a major release, or they’ve discovered some serious issues that needed coordinated disclosure.

Adobe wasn’t taking any chances either, pushing out patches for 55 vulnerabilities across 11 products. The ColdFusion vulnerabilities in particular are being flagged as high-risk for exploitation. If you’re still running ColdFusion in your environment (and I know some of you are), this needs to be priority one.

PHP Composer Vulnerabilities Hit Development Pipeline

For those of us securing development environments, the PHP Composer command injection flaws deserve special attention. CVE-2026-40176 affects the Perforce VCS driver and could allow arbitrary command execution during package installation.

This is particularly nasty because Composer is so deeply integrated into PHP development workflows. Developers trust it implicitly – they run composer install without thinking twice about it. If an attacker can compromise a package or exploit these VCS driver flaws, they’re essentially getting code execution in development environments, which often have fewer security controls than production.

What This Means for Our Daily Work

Looking at all these issues together, there’s a clear pattern: attackers are targeting the tools and systems we trust most. Browser extensions from official stores, legitimate signed drivers, development package managers – these are all things we’ve historically considered “safe.”

The Chrome extension problem especially highlights how our security models haven’t kept up with reality. We need to start treating browser extensions like we treat any other software deployment: with proper vetting, monitoring, and lifecycle management. That means maintaining inventories of approved extensions, monitoring for unauthorized installations, and having processes for responding when extensions are compromised.

For the EDR-killer techniques, we need to get serious about driver allowlisting and behavioral monitoring that doesn’t rely solely on endpoint agents. If attackers can disable our EDR, we need detection capabilities that operate independently.

The bottom line is that our security assumptions are under attack. The “trusted” sources aren’t as trustworthy as we thought, and the tools designed to protect us are being systematically targeted. We need to adapt our approaches accordingly.

Sources

• Over 100 Chrome extensions in Web Store target users accounts and data
• EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses
• Microsoft Patch Tuesday April 2026
• Adobe Patches 55 Vulnerabilities Across 11 Products
• New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released