When browser extensions become live surveillance

Researchers uncovered a seven-year campaign that weaponized hundreds of seemingly benign Chrome/Edge extensions (wallpapers, new tabs, productivity tools) into a global surveillance and remote-control platform. Trusted, even featured tools quietly harvested browsing history, keystrokes, cookies, and behavioral telemetry from millions of users. A subset also enabled remote code execution, running arbitrary JavaScript on demand. Why it matters: Browsers host banking, medical portals, work dashboards, and private chats. When extensions request broad permissions and later morph (or get compromised), that trust boundary becomes an attack surface, enabling credential theft, session hijacking, large-scale profiling, and targeted exploitation across enterprise and consumer environments. Key technical takeaways: • Scale through legitimacy — hundreds of extensions built installs and positive reviews before pushing malicious updates. • Dual-track ops — large-scale spyware (~4M users) plus a small