Study finds popular Chrome add‑ons secretly harvesting clipboards, rerouting searches and mimicking trusted tools

A technical review of multiple widely used Chrome extensions shows that some add‑ons engage in dangerous behaviors far beyond their advertised features. Researchers analyzed extensions for tasks such as new‑tab customization, parental controls and market tracking and found instances of code that reads clipboard contents, intercepts or redirects searches, and impersonates established brands to lower user suspicion. In several cases, extensions granted external servers the ability to access or modify clipboard data, creating a low‑visibility channel able to capture passwords, cryptocurrency addresses and other sensitive strings. Other observed tactics included rerouting searches through third‑party infrastructure to capture queries and monetize traffic, and cloning the visual identity of trusted tools to increase install rates. The review also documented higher‑risk campaigns that weaponize browser behavior: attackers have distributed add‑ons that deliberately exhaust browser resources to provoke crashes, then prompt users with fabricated repair instructions that cause them to paste and execute commands — a chain that has been used to install a Python remote‑access trojan (RAT) on selected hosts. That particular operational play targeted domain‑joined systems and used timing delays and repeated denial‑of‑service behavior to maximize chance of user compliance, illustrating how clipboard access and social engineering can escalate into enterprise compromise. Several problematic extensions had large install bases and passed initial platform review, with some later removed after disclosure while others remained available for a period. The practical consequence for users is clear: permission prompts and familiar icons can be abused to harvest confidential data without obvious signs, and even short delays or subtle UI tricks can turn a seemingly minor add‑on into an entry point for persistent malware. For browser vendors and extension developers, the findings spotlight weaknesses in automated and manual vetting, the need for post‑publication monitoring, and the incentives that allow opaque monetization or surveillance tactics to persist. Interim mitigations include restricting extension installations, limiting extension permissions, monitoring unusual clipboard and post‑install timing behavior, enforcing least‑privilege on endpoints, and prioritizing faster takedowns when abuse is detected. Policymakers and industry stakeholders should push for stronger disclosure rules, improved auditing tools and clearer responsibility for marketplace operators to reduce the window in which harmful extensions affect users and organizations.