Millions of users have fallen victim to malicious browser extensions because of a critical flaw, but things are changing — here's what you need to know
Security labels mask deeper extension risks

- Labels like “Verified” give a false sense of safety but don’t reflect real extension behavior
- Browser DevTools were never meant to track how extensions behave across tabs and over time
- Malicious extensions often act normally until specific triggers make their hidden features come alive
The unchecked spread of malicious browser extensions continues to expose users to spyware and other threats, largely due to deep-seated flaws in how the software handles extension security.
New research from SquareX claims many people still rely on superficial trust markers like “Verified” or “Chrome Featured,” which have repeatedly failed to prevent widespread compromise.
These markers, while intended to reassure users, often offer little insight into the actual behavior of an extension.
Labels offer little protection against dynamic threats
A central issue lies in the limitations of Browser DevTools, which were designed in the late 2000s for web page debugging.
These tools were never meant to inspect the far more complex behavior of modern browser extensions, which can run scripts, take screenshots, and operate across tabs, actions that existing DevTools struggle to trace or attribute.
This creates an environment where malicious behaviors can remain hidden, even as they collect data or manipulate web content.
The failure of these DevTools lies in their inability to provide telemetry that isolates extension behavior from standard web activity.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
For instance, when a script is injected into a web page by an extension, DevTools lack the means to distinguish it from the page’s native functions.
The Geco Colorpick incident offers an example of how trust indicators can fail catastrophically - according to findings from Koi Research, 18 malicious extensions were able to distribute spyware to 2.3 million users, despite carrying the highly visible “Verified” label.
To address this, SquareX has proposed a new framework involving a modified browser and what it calls Browser AI Agents.
This combination is designed to simulate varied user behaviors and conditions, drawing out hidden or delayed responses from extensions.
The approach is part of what SquareX terms the Extension Monitoring Sandbox, a setup that enables dynamic analysis based on real-time activity rather than just static code inspection.
At the moment, many organizations continue to rely on free antivirus tools or built-in browser protections that cannot keep up with the evolving threat landscape.
The gap between perceived and actual security leaves both individuals and companies vulnerable.
The long-term impact of this initiative remains to be seen, but it reflects a growing recognition that browser-based threats demand more than superficial safeguards.
You might also like
- Google Workspace is copying a very familiar YouTube feature to help you get through videos
- Check out the best AI phones on the market
- Here is our list of the best AI website builders on the web

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.