If you’re like most of us, you probably rely on your web browser for everything these days—catching up on news, checking your bank balance, chatting with the grandkids, and maybe even a cheeky bit of online shopping.

But what if we told you that something as simple as a browser extension could be quietly spying on you, tracking your every move, and even putting your personal information at risk?


That’s exactly what’s happened to millions of people around the world, including right here in Australia, thanks to a recent discovery by cybersecurity researchers.

They’ve uncovered a sneaky campaign involving 18 browser extensions—available through the official Chrome and Edge web stores—secretly tracking users’ online behaviour.

The total number of installs? Over two million. Yikes!


These weren’t dodgy downloads from the dark corners of the internet.

These extensions looked perfectly legitimate, offering handy features like weather updates, emoji keyboards, and even dark mode for your browser.

They had glowing reviews, shiny verification badges, and the web stores themselves even featured some.


But here’s the catch: cybercriminals have figured out a clever trick. They start by releasing a clean, innocent extension—what some experts call a 'sleeper agent.'

It works as advertised, builds up a good reputation, and then, after months or even years, the bad guys push out an update that quietly adds malicious code.

Suddenly, your trusty extension is up to no good.

Once 'activated,' these extensions would spring into action every time you visited a new website. Here’s what they did:

• Captured the URL of every page you visited.
• Sent that information, along with a unique ID to track you, to a remote server.
• Waited for instructions from the cybercriminals’ command centre.
• If told to do so, redirected you to a different website—sometimes a fake version of a real site.

Imagine this: you get a Zoom meeting invite, click the link, and instead of joining your meeting, you’re whisked away to a convincing fake page telling you to download a 'critical Zoom update.'

You download it, thinking you’re being safe, but you’ve just installed even more malware. Suddenly, your device—and all your info—could be completely compromised.


Most of the malicious extensions have now been removed from the webstores, but if you installed one before it was taken down, you could still be at risk.

And while we always recommend sticking to official webstores for your downloads, this incident proves that even 'safe' sources aren’t foolproof.

First, check your browser for these extensions. Here’s the list of the main offenders:

Chrome Extensions:

• Emoji keyboard online
• Free Weather Forecast
• Unlock Discord
• Dark Theme
• Volume Max
• Unblock TikTok
• Unlock YouTube VPN
• Geco colorpick
• Weather

Edge Extensions:

• Unlock TikTok
• Volume Booster
• Web Sound Equalizer
• Header Value
• Flash Player
• Youtube Unblocked
• SearchGPT
• Unlock Discord

If an extension suddenly asks for new permissions after an update—especially ones that don’t make sense for what it’s supposed to do—be suspicious.

It’s always better to be safe than sorry. This incident is a timely reminder that even the most tech-savvy among us can fall victim to online scams.
Have you ever had a dodgy extension sneak onto your computer? Or maybe you’ve got a tip for staying safe online? Share your stories and advice in the comments below—let’s help each other stay one step ahead of the cyber crooks!

Read more: Web browser users face urgent security risk as millions warned to remove dangerous extensions