WTF?! Several browser extensions with a combined total of more than 2.3 million downloads were reportedly hijacking browsing sessions and tracking user activity. Many of these malicious add-ons remained available on the Chrome and Edge web stores for years, with some even receiving the coveted "Featured" and "Verified" badges, raising serious questions about the extension review processes used by Google and Microsoft.
According to researchers at Koi Security, the malicious extensions were part of a coordinated operation involving at least 18 known add-ons listed on the Chrome and Edge extension stores. Dubbed "RedDirection," the browser hijacking campaign is believed to have infected more than 2.3 million users across both browsers, making it one of the largest operations of its kind ever documented.
One of the suspicious extensions, The Color Picker – Geco, had over 100,000 installs on Chrome and a 4.2-star rating from more than 800 reviews. It also received similarly high ratings on Microsoft's Edge Add-ons store, with over 1,000 installs, giving it an appearance of legitimacy.
Describing the extension as a "carefully crafted Trojan horse," Koi Security analyst Idan Dardikman noted that this was not the work of amateur scammers, but rather a sophisticated operation orchestrated by individuals who clearly knew what they were doing. While the extension has since been removed from the Chrome Web Store, it was still available on the Edge Add-ons store at the time of writing.
Other malicious extensions in the campaign include various emoji keyboards, weather forecast tools, video speed controllers, VPN proxies for Discord and TikTok, dark theme enablers, volume boosters, and YouTube unblockers. Most of them performed their advertised functions reasonably well, which allowed them to remain undetected for years.
Many of these extensions reportedly started off harmless, with some even earning a "Verified" badge on the Chrome Web Store. The code remained clean for years before malicious functionality was quietly introduced through updates. These updates enabled the hidden code to be automatically installed on millions of devices across both browsers, without any user interaction.
Koi researchers have issued an advisory urging affected users to immediately remove all suspicious extensions from Chrome and Edge. Users are also advised to clear their browser data to eliminate stored tracking identifiers and to run an on-demand, system-wide malware scan to check for any additional infections.
The full list of malicious extensions linked to the RedDirection campaign is available on the Koi Security blog on Medium.