40 Chrome Extensions, 22M Users, One Undisclosed Offense Each • Daniel Herman
--><br>← notes TABLE OF CONTENTS<br>By the Numbers<br>Extension List<br>The Taxonomy of Abuse A Note on Security Tools
Table of Contents<br>Credential Theft: Waalaxy Credential Theft: 1 extension
A Note on Proxy / “Free VPN” Extensions<br>URL Exfiltration: Image Downloader The Encryption<br>What Gets Sent<br>The “Copyright Check”<br>URL Exfiltration: 23 extensions (13 largest shown, full list in TAGS.md)
Page Content & PII Scraping: WhatRuns The Scraping<br>The Backdoor<br>Input Capture<br>Page Content & PII Scraping: 17 extensions (largest shown, full list in TAGS.md)
Affiliate Fraud: JSON Formatter The Bootstrap<br>The Merchant Database<br>The Hijack<br>The Geolocation<br>Affiliate Fraud: 10 extensions (largest shown, full list in TAGS.md)
Panel Enrollment: Hulu Ad Skipper Default Opt-In<br>The Inverted Opt-Out<br>Hulu Viewing History<br>The Network<br>Panel Enrollment: 9 extensions (all 9 shown)
Job Application Surveillance: Simplify Copilot The Remote Config<br>The Hardcoded Axiom Token<br>URL Leakage on Non-Job Sites
Session Hijacking: Waalaxy Cookie Exfiltration for Server-Side Impersonation<br>LinkedIn Ad Replacement<br>Bot Detection Bypass
The Cookie Terminator: Troywell VPN terminator.json: 4,128 Cookie Targets<br>thanos.json: 117 Extensions Eliminated<br>The Payment Processor Exclusion
Who’s Behind This<br>The Chrome Web Store Problem<br>What You Can Do<br>Full Data<br>5 Jul 2026 · 27 min read<br>40 Chrome Extensions, 22M Users, One Undisclosed Offense Each
#security
Browser extensions are supposed to extend browser functionality, but often they do much more than they disclose. Here I present 40 extensions that fall into one of the following categories: credential-reading code, traffic exfiltration, market-research panels, affiliate-injection SDKs. Every finding is labeled by whether I observed it firing or only verified the capability in shipped code.
40 newly-documented extensions. ~21.9 million users in the combined install base. 3 of 40 no longer available on the Chrome Web Store (as of 2026-06-28).
Full evidence and every per-extension forensic report: detrin/extensions_report.
I like digging deeper, and with Chrome extensions you can bet there is always more going on than you think. I analyzed Chrome extensions out of curiosity, and it took a long time to find suspicious candidates. Here I present only those where I am confident the cases are concerning. I installed the extensions and observed their traffic: what they send and what they download. I reviewed the traffic as well as the code, and whenever something suspicious was going on, I compared the activity or the code to the privacy policies.
The most prominent offenses are traffic exfiltration and affiliate link injection. Traffic exfiltration happens when, on every URL visited, the extension sends the whole URL, not just the domain but the whole path including the request parameters. This is an invasion of privacy when not disclosed in the extension’s privacy policy, but more importantly it lets the extension’s author spy on what you’re doing every day. For example, if you wanted to learn how employees at some company work day to day and which internal services they use, this would be a pretty good way to do it. Affiliate link injection is a weaker type of offense, as it doesn’t affect the targeted person as much, but it is still a form of fraud. The actor detects when you enter an e-shop and redirects you to that e-shop via a personal affiliate link. Or, when the e-shop lets you refer someone, that referral can also be exploited for affiliate injection. Either way, it lets the actor harvest the reward without the victim’s knowledge.
Scope and good faith. This is independent security research published in the public interest. Findings are statements about what each extension’s code does and what I captured on the wire , labeled observed (seen firing) or capability (shipped code, not observed firing); 7 of the 40 were observed transmitting data and 33 are capability-only. Characterizations such as “surveillance,” “fraud,” or “sabotage” are my interpretation of the evidence shown, which is laid out so you can judge for yourself. Some entries are legitimate products from established companies, included for collection-versus-disclosure reasons, not because they are malware; those reports say so. If you are named here and believe something is inaccurate, contact me.
By the Numbers
Extensions documented40 Combined install base21,860,000+ Ship credential/cookie-theft or remote-control code4 extensions Ship URL/PII exfiltration, DOM scraping, or search-hijack code33 extensions Offenses observed firing in my capture (vs. capability-only)7 of 40 observed No longer available on the Chrome Web Store (as of June 28, 2026)3 of 40<br>Every extension here ships code for at least one sharp offense: full-URL exfiltration, credential/cookie theft, remote code control, page scraping, account-data harvesting, search hijacking, affiliate injection, or...