New and Improved with new China leak option
Your data doesn't JUST go to M$ and Google, China gets a taste as well. Oh Joy!
The only machine I have with Chrome on it is a tiny PC running Cinnamon that I only use for one task. Whew.
Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware
A seven-year malicious browser extension campaign infected 4.3 million Google Chrome and Microsoft Edge users with malware, including backdoors and spyware sending people's data to servers in China. And, according to Koi researchers, five of the extensions with more than 4 million installs are still live in the Edge marketplace …
-
Monday 1st December 2025 20:12 GMT Blackjack
Something I have seen many times is legitimate browser extensions getting bought by bad actors, usually in Chrome, is one of the main reasons I don't use Chrome and web browsers based on it anymore.
Apparently that has become so common that they just started making their own extensions and just waiting for the right time.
-
Monday 1st December 2025 21:26 GMT Jou (Mxyzptlk)
Monoculture at its finest.
One engine, to be hacked all at once. Two things: more very different rendering engines, and the enforcement to support them. Without deliberately including code in webpages to be slower on competing browsers (hello youtube! Yes, I am talking about you in frist place!). A third thing would be less concentration on maketing-propaganda-fashion trends, more down to the base quality.
-
Monday 1st December 2025 22:24 GMT that one in the corner
Re: Monoculture at its finest.
And more pages opened in their own properly isolated environment, unless the user deliberately selects the option way down the right-click menu (as it is useful, sometimes, to have two tabs know you are logged into a site).
Will never be done, of course, because stopping your Facebook (etc etc etc) login following you around and "legitimately" watching your every move, converting it into saleable data, would probably be accused of being restraint of trade or some other bollocks ("deliberately stifling innovation", another good phrase). If only to tie browser makers up in the courts.
-
-
Monday 1st December 2025 22:27 GMT Nate Amsden
just waiting
For Google etc to use this as an excuse to remove extensions entirely in the name of "security". (Of course remember what they did to ublock origin. I've never used Chrome myself). For the typical user may make sense. Though I'll of course always prefer the extra control (and associated risk perhaps) with having a less locked down experience(android is the lesser of two evils in that regard compared to apple, though google is trying their best to close that gap). Feel the same way of course about anything that is forced to be encrypted/signed/etc.
-
Monday 1st December 2025 22:31 GMT DS999
Was it really a waiting game
Or was it someone buying out or taking over via force (hacking, blackmail etc.) a legit extension? Or maybe the developer's circumstances changed and he had big gambling debt or something like that?
That seems more likely than evildoers playing out a seven year long con.
-
Tuesday 2nd December 2025 12:47 GMT phuzz
Re: Was it really a waiting game
'Build something, get a bunch of users, then sell your company/product' is how most startups work. It's just that in this case instead of getting bought by Facebook/Google/some VC they actually got bought out by by someone malicious.
Or maybe the initial sale was legit at the time, but the buying company realised that they could make more money by installing spyware.
These days I imagine more devs would be suspicious of random buyout offers, but this was at least seven years ago and this tactic was less well known.
-
-
Tuesday 2nd December 2025 00:55 GMT FF22
Most likely hacked or bought up
The extension has been most likely either hacked or simply just bought from the original author, in order to spread malware. Hackers have been doing this for decades.
Nobody will create an extension with the intention to wait 7 years only to place some affiliate cookies - especially when such programs could end anytime, or browser extension rules and APIs could change so that manipulating traffic will not be possible or effective. See Manifest V3 changes (which obviously don't hinder this extension, just mentioning as an example of browsers crippling several extensions with API changes).
-
Tuesday 2nd December 2025 15:10 GMT Roland6
Re: Most likely hacked or bought up
Given the number of extensions from the one author that have been compromised and the lack of comment from that Malaysian business, I think there is more to come as people start digging.
> Nobody will create an extension with the intention to wait 7 years only to place some affiliate cookies…
Would not be so sure, only need to look at the Israeli compromise of Hezbollah pagers/phones.
-
-
Tuesday 2nd December 2025 01:07 GMT mebh
Reviewed on update, or no?
Paragraph three:
"Because both marketplaces review extensions upon submission – it's not an ongoing process – these seemingly stellar productivity tools, some with Featured and Verified status alongside glowing user reviews and high install counts, were allowed to track people's behavior and steal sensitive info silently for years."
Paragraph five:
"A Google spokesperson confirmed none of the extensions are available on the Chrome Web Store, and we are aware that Google screens every single update to extensions in the Chrome store, no matter how minor the change."
I don't understand how both of these can be correct. Does Google review on every update, or only upon submission?
-
Tuesday 2nd December 2025 01:12 GMT Dwarf
Re: Reviewed on update, or no?
It doesn't say when that happens. Is it on submission - as you would hope, or is it some form of asynchronous background process that gets done when someone gets around to it and as we know, people have plenty of time, so there will be absolutely no delay, promise.
Or, with AI everywhere, perhaps, it is some automated code that can't figure things out properly, just approving changes and firing them out there. AI has good form for this, it can simply lie or say sorry when it gets called out that it made a mistake.
-
-
Tuesday 2nd December 2025 04:53 GMT Kevin McMurtrie
OK, Reg
The original article has some great information and I think I know why The Register doesn't link to it. Endpoint https:// api.extensionplay dot com /clean_master/t.json?t=Date.now() and other domains are still up and running long after everywhere else has purged it. Up an running on a service that The Register is often quick to defend.
-
Tuesday 2nd December 2025 14:03 GMT martinusher
One person's Malware....
....is another's Analytics.
Remove the China angle and it sounds like just another day in the life of modern software. Remember -- there is no such thing as a free lunch (or browser extension), sooner or later someone, somewhere, is going to want to monetize this asset.
(This reminds me of Gatorware....anyone remember this and know what happened after the original company shut down?)
-
Wednesday 3rd December 2025 22:25 GMT sev.monster
Where's the pudding, Jack?
Since few seem to be providing a more full list of extensions, here's "some" of them according to THN:
Users who installed the extensions are recommended to remove them immediately and rotate their credentials out of an abundance of caution. Some of the identified extensions on Chrome and Edge are listed below -
- Clean Master: the best Chrome Cache Cleaner
- Speedtest Pro-Free Online Internet Speed Test
- BlockSite
- Address bar search engine switcher
- SafeSwift New Tab
- Infinity V+ New Tab
- OneTab Plus:Tab Manage & Productivity
- WeTab 新标签页
- Infinity New Tab for Mobile
- Infinity New Tab (Pro)
- Infinity New Tab
- Dream Afar New Tab
- Download Manager Pro
- Galaxy Theme Wallpaper HD 4k HomePage
- Halo 4K Wallpaper HD HomePage
-
Thursday 4th December 2025 13:17 GMT lzb
According to the official documentation of webtab, this list is biased.
https://mp.weixin.qq.com/s/E8YQLWZFM2J7r5DZNSl47w
According to the plugin's official documentation, the plugin containing malicious code mentioned in the report was indeed initially developed by their team but has since been sold. The report does not specify whether plugins under the official's actual control contain malicious code; it merely correlates them based on historical associations. The removal of the Edge version plugin is also linked to the transfer of control.
Biting the hand that feeds IT
