Security researchers from Proofpoint have identified a malicious campaign involving 106 Google Chrome extensions that were designed to steal sensitive user data. The extensions, which were available on the official Chrome Web Store, were downloaded over 32 million times before being removed by Google.
The malicious extensions posed as tools for converting files, blocking ads, or enhancing privacy. Once installed, they harvested a wide range of data from users' browsers, including login credentials, authentication cookies, and personal information. This data was then sent to attacker-controlled servers.
Proofpoint's report, published in April 2026, states the campaign was active for at least two years and impacted thousands of user accounts. The researchers linked the activity to a threat actor they track as 'Aggah', which has a history of conducting large-scale malware and phishing campaigns.
Google has since removed the identified extensions from the Chrome Web Store. Users are advised to review their installed extensions, remove any that are unfamiliar or unused, and ensure they are only installing extensions from trusted developers with positive reviews.
