Malicious Browser Extensions: The Overlooked Attack Vector Threatening SaaS Companies

Key Takeaways

• 8.8 million browsers infected by a single threat actor campaign (DarkSpectre)
• 500,000+ users compromised by the VK Styles extension, which hijacked accounts and stole credentials
• Browser extensions can access everything users see and type, including sensitive SaaS data
• Most SOC 2 and ISO 27001 auditors now expect documented endpoint security controls, including extension management
• Practical defense requires visibility, approved extension lists, and continuous monitoring

Your SaaS company has invested in firewalls, endpoint detection, and security awareness training. But there's likely a blind spot sitting in every browser across your organization: extensions.

Browser extensions run with elevated privileges. They can read every page your employees visit, capture credentials as they're typed, modify what users see, and exfiltrate data to external servers. And unlike traditional malware, they're installed willingly by users who trust the Chrome Web Store or Firefox Add-ons marketplace.

Recent research has exposed just how widespread this threat has become, and why SaaS companies handling sensitive customer data should treat extension security as a priority.

The Scale of the Problem

In late 2025, security researchers at Koi Security documented DarkSpectre, a single threat actor responsible for 8.8 million infected browsers across multiple malicious extension campaigns. These weren't obscure extensions with a handful of users. They were popular tools that had passed marketplace review processes and accumulated millions of installs before detection.

The DarkSpectre campaign demonstrates several concerning patterns:

• Legitimate functionality as cover: The extensions provided actual features (ad blocking, PDF tools, screen capture) while secretly exfiltrating data
• Update-based attacks: Some extensions started clean and only became malicious after updates, bypassing initial marketplace reviews
• Persistence mechanisms: Once installed, the extensions resisted removal and automatically reinstalled themselves
• Credential harvesting: Extensions captured login credentials, session tokens, and OAuth access tokens from popular SaaS applications

A separate investigation by Koi Security into VK Styles revealed an extension with 500,000+ users that actively hijacked user accounts. The extension monitored browser sessions, stole authentication tokens, and provided attackers with persistent access to victim accounts across multiple platforms.

Why Browser Extensions Are Different

Traditional endpoint security focuses on executable files, network connections, and system-level behavior. Browser extensions operate in a different threat model:

1. They run inside the browser's trusted context

Extensions execute within the browser itself, with access to the same data the user sees. They can read the contents of any page, intercept form submissions, and access cookies and local storage. From the browser's perspective, this is normal behavior.

2. Users grant permissions voluntarily

Unlike malware that exploits vulnerabilities, extensions are installed by users who accept permission prompts. Many users don't understand what "Read and change all your data on all websites" actually means.

3. Marketplace reviews provide false assurance

The Chrome Web Store reviews thousands of extensions, but review processes have repeatedly failed to catch malicious code. The DarkSpectre campaign included extensions that passed initial reviews. Some used obfuscation techniques to hide malicious behavior from automated analysis.

4. Extensions update automatically

An extension that's safe today can become malicious tomorrow. Once users grant permissions, the extension can silently update with new functionality. The VK Styles extension used this pattern, starting with legitimate features before adding credential theft capabilities.

Real-World Attack Patterns

Security researchers have documented several attack patterns that malicious extensions employ:

Session Hijacking

Extensions monitor authentication flows and capture session tokens, OAuth tokens, and API keys. With these tokens, attackers can access SaaS applications as the legitimate user without triggering MFA prompts. This is particularly dangerous for SaaS companies because customer data access often persists long after the initial compromise.

Form Injection

Malicious extensions can modify the DOM of any page. This enables convincing phishing attacks where fake login forms appear on legitimate sites. Users enter credentials believing they're interacting with the real application.

Data Exfiltration

Extensions with "read all data" permissions can capture everything users access. This includes customer data, internal documentation, source code, and communications. The data is sent to attacker-controlled servers, often using legitimate-looking API calls that blend with normal traffic.

Man-in-the-Browser

Some extensions modify what users see in real-time. In financial applications, this has been used to change displayed account numbers, redirect payments, or hide fraudulent transactions from victim awareness.

The Compliance Angle

SOC 2 and ISO 27001 auditors have increasingly focused on endpoint security as remote work has expanded the attack surface. Browser extension management falls under several control areas:

SOC 2 Common Criteria

• CC6.1 (Logical Access Controls): Organizations must implement controls over software that can access confidential data. Unmanaged browser extensions represent ungoverned access.
• CC6.6 (Malicious Software Protection): Controls should address threats beyond traditional malware, including malicious browser components.
• CC6.7 (Access Removal): When employees leave or change roles, extension access should be reviewed. Extensions with persistent permissions can outlast their legitimate need.

ISO 27001 Annex A

• A.12.5 (Control of Operational Software): Installation of software should be governed by policy. Browser extensions are software that many organizations fail to control.
• A.12.6 (Technical Vulnerability Management): Known-malicious extensions represent technical vulnerabilities requiring remediation.
• A.8.1 (Asset Management): Browser extensions represent information processing assets that should be inventoried and classified.

During audits, expect questions about how your organization manages browser extensions. "We don't have a policy" is increasingly viewed as a control gap rather than an acceptable answer.

Practical Defense: A Four-Step Approach

Step 1: Inventory Your Current Extensions

You can't secure what you can't see. Start by understanding what extensions are currently installed across your organization.

For unmanaged devices, this is challenging. You'll need endpoint agents that can enumerate installed extensions or browser-based reporting tools.

For managed devices using MDM solutions like Jamf, Intune, or Workspace ONE, you can query for installed extensions. Chrome Enterprise and Edge for Business provide extension reporting through their management consoles.

At Bastion, our endpoint security tooling automatically inventories browser extensions across managed devices, providing visibility into what's installed without manual data collection.

Step 2: Establish an Approved Extensions Policy

Not all extensions are equal. Create categories that reflect your risk tolerance:

Approved: Vetted extensions that serve business needs (password managers, accessibility tools, development utilities). These should be actively monitored for behavioral changes.

Blocked: Known-malicious extensions and categories with elevated risk (screen recorders, VPN extensions, shopping tools). Most organizations should block any extension that requests access to all URLs.

Review Required: Extensions not yet classified. Users can request additions, but installation requires security team approval.

Document your policy and communicate it clearly. Users should understand why extension management matters and how to request new tools through proper channels.

Step 3: Enforce Through Technical Controls

Policy without enforcement is wishful thinking. Use your browser management capabilities to:

• Block unapproved extensions at the browser level using Chrome Enterprise policies or Edge group policies
• Force-install security extensions like password managers from your approved list
• Restrict permissions by blocking extensions that request certain permission combinations
• Enable extension logging to maintain audit trails of installation and removal events

For Google Workspace organizations, the Admin Console provides granular extension controls. Microsoft 365 organizations can use Intune policies for Edge management.

Step 4: Monitor for Behavioral Changes

Approved extensions can become compromised. Implement ongoing monitoring that detects:

• Extension updates that add new permissions
• Network activity from extensions to unknown domains
• Behavioral anomalies like extensions accessing sites outside their stated purpose
• New extension installations that bypass controls

Bastion's endpoint monitoring includes extension behavior analysis, alerting security teams when previously-trusted extensions exhibit concerning behavior patterns.

Building Your Extension Security Policy

Your policy should address several questions:

Who approves extensions? Define the process for adding extensions to the approved list. Security team review, risk assessment criteria, and approval workflows.

What permissions are acceptable? Extensions that request access to all URLs represent higher risk. Consider blocking or requiring additional justification for broad permissions.

How are exceptions handled? Some users may have legitimate needs for extensions outside the approved list. Define the exception process, including time limits and periodic reviews.

What happens during incidents? When a malicious extension is discovered in your environment, you need a response plan. Remote removal, credential rotation, and notification procedures.

How often do you review? The extension landscape changes rapidly. Quarterly reviews of approved extensions, permission audits, and policy updates should be standard.

What Auditors Will Ask

Prepare for questions about browser extension security during your next SOC 2 or ISO 27001 audit:

1. Do you have a policy governing browser extension installation? Auditors want to see documented procedures.

2. How do you inventory installed extensions? Demonstrate visibility across your device fleet.

3. What controls prevent unauthorized extension installation? Show technical enforcement, not just policy.

4. How do you respond to malicious extension discoveries? Evidence of incident response capabilities.

5. Are extension permissions reviewed periodically? Prove ongoing management, not one-time setup.

If you're working toward compliance certification, address these gaps before your audit. Auditors increasingly view extension management as a standard endpoint security control.

The Bigger Picture

Browser extension security is part of the broader challenge of endpoint protection in SaaS environments. Your employees access customer data through browsers. Those browsers run code from third parties. The trust model is fundamentally broken.

This doesn't mean banning all extensions. Many provide genuine productivity benefits. But treating extensions as trusted by default ignores the evidence of widespread abuse.

For SaaS companies handling sensitive customer data, extension security deserves the same attention as other endpoint controls. The DarkSpectre campaign infected 8.8 million browsers. The question isn't whether your organization has been affected by a malicious extension. The question is whether you'd know if it had.

Bastion helps SaaS companies implement endpoint security controls that meet SOC 2 and ISO 27001 requirements. Our managed compliance services include extension policy development, technical implementation, and ongoing monitoring. Get started with Bastion →