Last Thursday, I opened my browser and noticed something odd. A Chrome extension I had been using for two years — a simple tab manager that I genuinely liked — was suddenly asking for permission to "read and change all your data on all websites." It had never asked for that before.
Turns out, the extension had been sold to a new owner three weeks earlier. No announcement. No changelog. Just a quiet ownership transfer, a sneaky permissions update, and suddenly a tool I trusted was doing things I never agreed to.
This is not a hypothetical scare story. On March 9, 2026, BleepingComputer reported that multiple Chrome extensions had turned malicious after ownership transfers — injecting ads, stealing data, and redirecting searches. And just this week, The Hacker News covered a case where a malicious npm package was disguised as a legitimate installer to deploy a remote access trojan that steals credentials, browser data, and crypto wallets.
I spent the weekend auditing every single extension in my browser. All 23 of them. Here is exactly how I did it, and what I found.
The Ownership Transfer Problem Nobody Talks About
Here is something most people do not know: Chrome extension developers can sell or transfer their extensions to other developers at any time. Google does not notify users when this happens. The extension keeps its name, its icon, its star rating, its review count. Everything looks the same.
Except the code inside? Completely different person now.
My colleague Rachel, who works in IT security for a mid-size insurance company, puts it this way: "It is like finding out the locksmith who made your house keys sold his business to someone you have never met, and they kept a copy of every key they ever made."
That analogy haunted me for three days.
How It Works
The attack chain is depressingly simple:
- Attacker identifies a popular extension with thousands of users
- They contact the developer and offer to buy it — often for surprisingly little money ($500-5,000 for extensions with 10,000+ users)
- Developer sells, transfer happens silently through the Chrome Web Store
- New owner pushes an update with malicious code embedded in the existing functionality
- Chrome auto-updates extensions by default. Users get the malicious version without doing anything.
In a recent incident covered by BleepingComputer, two Chrome extensions turned malicious after their developers were targeted through phishing or direct acquisition. The compromised extensions began injecting unauthorized code into web pages, enabling data theft and ad injection.
The worst part? Some of these extensions had been clean for years before the transfer. That is years of trust, weaponized overnight.
My Audit Process: The 4-Step Check
After learning all this, I sat down with a cup of increasingly cold coffee and audited my entire extension library. Here is the framework I used:
Step 1: List Everything
Go to chrome://extensions in your browser. Look at every single extension. I had 23. I could only remember installing maybe 15 of them. The other 8? No idea when or why I added those. That alone should scare you.
For each extension, I wrote down:
- Name
- What I thought it did
- When I last actually used it
- What permissions it currently has
Step 2: Check Permissions (This Is Where It Gets Ugly)
Click on "Details" for each extension. Scroll down to "Permissions." Here is what is normal vs. suspicious:
Normal for most extensions:
- "Read your browsing history" — needed for tab managers, bookmark tools
- "Display notifications" — most extensions use this
- "Storage" — saving your settings
Red flags (unless the extension genuinely needs it):
- "Read and change all your data on all websites" — this is the nuclear option. A grammar checker needs this. A color picker does not.
- "Manage your downloads" — why would a screenshot tool need this?
- "Manage your apps, extensions, and themes" — an extension managing other extensions? That is suspicious.
- "Communicate with cooperating native applications" — this means it can run programs on your actual computer. Very few legitimate extensions need this.
Of my 23 extensions, 7 had "read and change all your data on all websites." Three of those had no business having that permission. One was a color picker. A color picker, reading all my data on all websites. I uninstalled it immediately.
Step 3: Research the Developer
For every extension that survived Step 2, I checked:
- Developer website — does it exist? Is it a real company or a placeholder page?
- Last updated date — if it was updated very recently after months of silence, that could indicate an ownership change
- Recent reviews — look for reviews mentioning new ads, strange behavior, or permissions changes. Sort by "Most Recent" — the 5-star reviews from 2024 do not matter anymore if the last 20 reviews from 2026 all say "this extension just started showing ads"
- Chrome Web Store developer profile — click the developer name. Do they have other extensions? Is there a pattern?
This is where I found my tab manager problem. The developer's website had changed from a personal blog to a generic "software solutions" page with stock photos and broken English. Classic sign of an acquisition by a company that buys extensions for data harvesting.
Step 4: The "Do I Actually Need This?" Purge
This was the most therapeutic step. For each remaining extension, I asked myself: "Have I used this in the last 30 days?"
The results:
- Actively using: 8 extensions
- Used occasionally (once a month): 4 extensions
- Have not touched in 3+ months: 11 extensions
I uninstalled all 11 unused extensions on the spot. My browser literally felt faster. Whether that is real or placebo, I do not care — fewer extensions means fewer attack surfaces.
Final count: went from 23 extensions to 12. Almost half were dead weight or suspicious.
5 Extensions I Immediately Uninstalled (And Why)
I am not naming the specific extensions because the malicious ones change constantly. But here are the categories:
- The color picker with all-site access — no legitimate reason for those permissions
- The "productivity" extension I installed from a blog post in 2023 — the developer's website no longer exists
- The screenshot tool that recently added "manage downloads" — permission creep after an update I did not notice
- Two coupon/deal finders — these are notorious for tracking your browsing habits and selling the data. The "savings" are not worth the surveillance.
My friend Tom, who does browser security research, told me something that stuck: "Every extension you install is someone else's code running in your browser with your credentials. Would you let a stranger sit at your desk and watch you work? Because that is basically what you are doing."
Tom is a bit dramatic. But Tom is also right.
How to Protect Yourself Going Forward
1. Turn Off Auto-Updates for Extensions (Yes, Really)
This is controversial because auto-updates include security patches. But they also silently deliver malicious updates after ownership transfers. My compromise: I check for extension updates manually once a week. Takes 30 seconds.
To disable auto-updates: go to chrome://extensions, enable "Developer mode" in the top right, and uncheck automatic updates for critical extensions. Or, if you want to go nuclear, launch Chrome with the --extensions-update-frequency=604800 flag to limit updates to once per week.
2. Use the Minimum Permissions Setting
For extensions that support it, click "Details" → "Site access" → change from "On all sites" to "On click" or "On specific sites." This means the extension only activates when you explicitly need it, rather than running in the background on every page you visit.
I did this for 6 of my remaining 12 extensions. None of them broke. They just ask for permission when I actually need them. Novel concept.
3. Check the CRXcavator or Extension Fingerprints
CRXcavator (crxcavator.io) is a free tool that analyzes Chrome extensions for risky permissions, third-party library usage, and security signals. Before installing any new extension, I now run it through CRXcavator first. If it scores poorly, I skip it.
Extension Fingerprints is another open-source tool that checks what data your extensions can access. Both are free. Both take about 10 seconds to use. There is no excuse not to.
4. Set a Calendar Reminder for Monthly Audits
I have a recurring calendar event on the first of every month: "Audit browser extensions." It takes 10 minutes. I check for new permissions, read recent reviews, and uninstall anything I have not used. It is the digital equivalent of checking your smoke detectors — boring but potentially life-saving.
5. Consider Extension Alternatives
Some things you use extensions for, you do not actually need an extension for:
- Password manager — use a standalone app (1Password, Bitwarden) rather than a browser extension. The app is harder to compromise.
- Ad blocker — uBlock Origin is open-source and well-audited. Stick with it. Avoid lesser-known blockers.
- Screenshots — your OS has built-in screenshot tools (Cmd+Shift+4 on Mac, Win+Shift+S on Windows). You probably do not need an extension for this.
- Tab management — Chrome has built-in tab groups now. They are not perfect, but they do not require trusting third-party code.
The Bigger Picture
Browser extensions are one of the most underappreciated attack vectors in personal and corporate security. A 2025 study found that the average Chrome user has 12-15 extensions installed, and roughly 30% of those have permissions that exceed what they need for their stated function.
Enterprise security teams are starting to wake up to this. Companies like Nudge Security now offer tools specifically for monitoring what browser extensions employees are using. But for individuals? You are on your own. Google's review process for extensions is better than it used to be, but it still misses things — especially when malicious code is introduced through ownership transfers rather than new submissions.
The internet runs on trust. Every extension you install is a trust decision. Every auto-update is a renewal of that trust, whether you realize it or not. The least you can do is verify that trust every once in a while.
Or, you know, keep that color picker with full data access. It is a really nice shade of blue.
I have started maintaining a shared spreadsheet tracking Chrome extensions that have changed ownership in 2026. If you want access, drop a comment — the more eyes on this, the better.
