PALO ALTO, Calif., March 05, 2025 — Recent incidents, like and extension infostealers, highlight browser extensions as a significant security vulnerability for many organizations. The SquareX research team has identified a new type of harmful extension capable of mimicking any extension on a user’s browser, including password managers and crypto wallets. These malicious extensions can perfectly replicate the appearance of legitimate extensions, using the same user interface, icons, and text. This makes it very easy to trick users into entering their login details and other private data. This issue affects most major browsers, such as Chrome and Edge.

Polymorphic extensions function by taking advantage of the common practice of users interacting with extensions via the icons pinned to the browser toolbar. The attack begins when a user installs a malicious extension, which might be disguised as something harmless like an AI tool. To further enhance the deception, the extension performs the advertised function correctly and remains harmless for a set amount of time.

During this time, the malicious extension identifies the other extensions installed on the user’s browser. Once it knows what extensions are present, it completely changes its appearance to match the targeted extension, including the icon displayed on the pinned toolbar. It can even temporarily disable the targeted extension, removing it from the pinned bar. Because most users rely on these icons for visual confirmation of the extension they are using, changing the icon is likely enough to convince them that they are interacting with the correct extension. Even when the user goes to the extension dashboard, it’s difficult to link the tools displayed there with the pinned icons. To avoid raising suspicion, the malicious extension might even temporarily disable the target extension, so it is the only one with the target’s icon on the pinned tab.

Importantly, the polymorphic extension has the ability to copy any browser extension. As an example, it can imitate well-known password managers to deceive users into entering their master password. The attacker can then use this password to access the real password manager and steal all the stored credentials. In a similar way, the polymorphic extension can also mimic popular crypto wallets, enabling attackers to use the stolen credentials to approve transactions that send cryptocurrency to them. Other potential targets include developer tools and banking extensions, which could give the attacker unauthorized access to applications containing sensitive data or financial assets.

Moreover, this attack only needs permissions that Chrome Store classifies as medium-risk. Ironically, many of these permissions are also used by password managers, ad blockers, page stylers, and other popular tools. This makes it particularly difficult for Chrome Store and security teams to identify malicious intent simply by looking at the extension’s code.

The founder of SquareX, , warns that “Browser extensions pose a significant threat to both businesses and individual users today. Unfortunately, most organizations lack the ability to audit their current extension usage and check for malicious activity. This further emphasizes the need for a browser-native security solution like Browser Detection and Response, which is similar to how an EDR protects the operating system.”

These polymorphic extensions exploit existing Chrome features to carry out the attack. Therefore, there is no software bug involved, and a patch cannot fix it. SquareX has responsibly disclosed this issue to Chrome, recommending the banning of or implementation of user alerts for any extension icon changes or abrupt changes in HTML. Attackers can easily use these techniques to impersonate other extensions in a polymorphic attack. For businesses, static extension analysis and permission-based policies are no longer enough. It’s essential to have a browser-native security tool capable of dynamically analyzing extension behavior at runtime, including any polymorphic tendencies of malicious extensions.

For more information about polymorphic extensions, additional findings from this research are available at .

About SquareX
helps organizations identify, mitigate, and hunt for client-side web attacks targeting their users in real-time, including defense against malicious extensions. In addition to the polymorphic attack, SquareX also discovered and disclosed several other extension-based attacks, including Browser Syncjacking, the Chrome Store consent phishing attack that led to Cyberhaven’s breach, and numerous other MV3-compliant malicious extensions revealed at DEF CON 32.

SquareX’s industry-first Browser Detection and Response (BDR) solution takes an attack-focused strategy to browser security, ensuring enterprise users are protected from advanced threats such as malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, and other web attacks including malicious files, websites, scripts, and compromised networks.

Additionally, SquareX enables enterprises to provide contractors and remote workers with secure access to internal applications and enterprise SaaS, and convert browsers on BYOD / unmanaged devices into trusted browsing sessions.

Contact

Head of PR
Junice Liew
SquareX
junice@sqrx.com

A photo accompanying this announcement is available at

“`