Overview
- Koi Security disclosed a seven-year operation that amassed 4.3 million installs across Chrome and Edge through seemingly legitimate add-ons.
- Google says the identified Chrome extensions are no longer available, but several high-install Edge entries, including WeTab with about 3 million users, remain listed.
- Mid-2024 updates added an hourly remote-code-execution backdoor that checks api.extensionplay[.]com to fetch and run arbitrary JavaScript with full browser API access.
- A set of five Edge add-ons harvests URLs visited, search queries, keystrokes, mouse clicks, cookies and browser fingerprints, transmitting data to 17 domains in China.
- Researchers warn infected browsers still host attacker infrastructure that could be re-weaponized via updates and advise immediate removal and credential rotation.