How to Find and Remove Malicious Chrome Extensions (2026)

If you opened Chrome this morning and your address bar still trusts every extension you installed last year, this guide is for you. On 13 April 2026 Socket's research team published an analysis of 108 Chrome Web Store extensions that were quietly stealing Google login tokens, reading Telegram sessions every 15 seconds, and injecting ads into pages users had never asked to monetise. Five publishers, one shared command-and-control infrastructure, around 20,000 installs across the whole cluster. That story landed alongside Malwarebytes' February 2026 write-up of a separate cluster where 30 extensions had reached 260,000-plus users using a full-screen iframe trick that slipped past Google's static review. Neither campaign required users to do anything reckless. Both ran on extensions that looked, on the Web Store page, completely ordinary. This article shows you how to audit what is running in your browser right now, how to remove a bad one without leaving artefacts behind, and what reliable security guidance looks like for this class of threat.

The April 2026 Chrome Extension Campaign: What Researchers Found

Socket's analysis, published 13 April 2026, traced the 108 extensions to five publisher accounts: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. The listings fell into five product categories — Telegram sidebar clients, slot-machine and Keno games, YouTube and TikTok "enhancers," text translation tools, and generic page utilities. Each category carried a slightly different payload. Fifty-four extensions tried to harvest Google identity tokens through the OAuth2 sign-in flow (which still requires the user to click an in-page "Sign in with Google" button). One Telegram add-on polled session data every 15 seconds, enough to hijack a logged-in Telegram Web session in real time when the victim had Telegram Web open. Two extensions stripped YouTube security headers and injected ads. Forty-five contained a universal backdoor that opened attacker-chosen URLs on browser start. Every payload pointed to the same shared C2 endpoint on Contabo VPS infrastructure that Socket attributed to a Russian malware-as-a-service operation. At the time of Socket's publication the extensions were still live on the Web Store; Socket reported that takedown requests had been submitted.

Malwarebytes' February 2026 piece described a separate and earlier wave that used a different technique entirely. The malicious code lived on a server controlled by the attacker — not in the extension package — so Google's static review missed it. The extension injected a remote iframe over the visited page and used the overlay as a fake login UI to capture credentials. LayerX, the original researcher behind that disclosure, counted 30 Chrome extensions and 260,000-plus users in the cluster. Other reporting on the same family (including Tom's Guide's coverage of AiFrame-style AI assistant extensions earlier in the cycle) put the affected install base at 260,000-plus to 300,000-plus depending on how broadly the cluster was drawn. Reports on r/chrome and r/techsupport from spring 2026 describe users finding extensions they did not install, often after another add-on quietly added a "helper" sibling.

How to check your Chrome extensions right now — step-by-step

Open chrome://extensions/ in the address bar. Switch on Developer mode in the top-right corner. Developer mode reveals each extension's ID — a 32-character string — and its installation source. Anything that says "Installed by enterprise policy" but isn't from your IT department deserves a hard look. Anything with no source attribution at all is worse.

Press Shift + Esc with Chrome focused. Chrome's built-in Task Manager opens. Sort by CPU and memory. A small extension idling at single-digit megabytes is normal. An extension consistently consuming over 100 MB or noticeable CPU when you are not actively using it — without an obvious reason like a background sync service or ad blocker — is worth investigating further. Memory use alone is not proof of malice, but it is a useful filter when combined with the permission checks below.

For each extension, click Details and read the Site access line. "On all sites" is the permission a credential stealer needs. If a calculator add-on has it, that is the answer. Check Permissions: look for Read and change all your data on all websites, Manage your downloads, Read your browsing history, and Identity (sign in to websites). A flashlight extension does not need any of these.

Finally, cross-check the publisher. Click the extension name in chrome://extensions/, then View in Chrome Web Store. If the publisher's profile lists fewer than five extensions, was created in the last twelve months, and has no website, treat it as suspect. All five of the 2026 Russian-cluster publisher accounts Socket flagged matched that pattern.

If you also want to know exactly which Chrome profile you are inspecting (useful when you maintain separate profiles for work, personal, and family use), open chrome://version and copy the Profile Path line. That tells you which folder on disk to clean up later.

Red flags — how to spot a malicious extension before installing

Reviews are the easiest tell. A genuinely useful 200,000-user extension has hundreds of reviews spread over years. A malicious clone has a flood of five-star reviews all dated within a two-week window, often with identical phrasing. Read the lowest-rated reviews first — that is where the "this changed my homepage" and "I see ads I never saw before" complaints live.

Permission scope is the second tell. Chrome shows the full permission list before install. Anything that asks for Read and change all your data on websites you visit needs a reason. Password managers, ad blockers, and grammar checkers genuinely need it. Calculators, themes, weather widgets, and "tab managers" do not.

Publisher history is the third. Click the publisher name on the Web Store listing. A trustworthy publisher usually has a website, a privacy policy hosted on its own domain, and a back-catalogue. The April 2026 Russian campaign published under five names, none of which had a site older than the extensions themselves. That is a pattern, not a coincidence.

One more: ownership transfer. The Hacker News documented a March 2026 case where a clean Chrome extension was sold to a new owner and turned malicious within a release cycle. If you see a sudden permission expansion in an update prompt — that is the moment to remove it, not approve it.

5 categories of dangerous extensions in 2026

Fake productivity tools. PDF converters, screenshot helpers, and "AI assistant" add-ons made up the bulk of the reporting on the AiFrame-style AI-assistant cluster Tom's Guide covered earlier this cycle, which various write-ups counted in the 260,000-plus to 300,000-plus install range. The pattern is identical across the cluster: real-looking icon, broad permissions, no real product behind it.

Translation and language helpers. Socket flagged a translation extension in the 108 that proxied every translation request through the attacker's server — meaning every page of text the user translated was also logged. The GhostPoster campaign Malwarebytes covered in January 2026 included "Google Translate in Right Click" by name.

Telegram and chat sidebars. The most aggressive payload in the Socket dataset was a Telegram sidebar that read live session data on a 15-second polling loop when Telegram Web was logged in. Anything that asks for access to a logged-in web app on a tight polling interval should not be installed.

Game and gambling-themed extensions. Slot machine and Keno game extensions in the Socket report carried the backdoor payload alongside the gambling UI. Chrome is not a games platform; extensions in this category exist almost entirely as malware wrappers.

Ad blockers and "Ultimate" anything. GhostPoster used names like "Ads Block Ultimate." Genuine ad blockers are a short list: uBlock Origin Lite, AdGuard, and a handful of vendor tools. Anything claiming to be a better, newer, or "ultimate" version of one of these is almost certainly a clone with extra permissions.

How to remove an extension and clean up its leftovers

In chrome://extensions/, click Remove next to the extension and confirm. This is necessary but not sufficient. Chrome leaves three categories of artefact behind.

1. The extension folder. Use the chrome://version Profile Path you noted earlier. Inside that folder, the Extensions subdirectory holds one folder per extension, named by its 32-character ID. Chrome usually deletes these on removal, but force-installed extensions and crashed uninstalls can leave them. Cross-reference the IDs against Socket's published list before deleting anything by hand. Close Chrome before touching this folder.

2. The Chrome Preferences file. In the same Profile folder, the Preferences file is plain JSON. Search for the extension ID. Stale references in the extensions and external_extensions blocks are how a removed extension occasionally re-enables itself after a restart.

3. Policy-installed extensions. Before going near the registry, open chrome://policy in Chrome. This page shows every policy currently applied to your browser — including extension force-install policies. If ExtensionInstallForcelist appears with entries you did not authorise, that is your culprit. On Windows you can then clear the source: open regedit and look at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist. Enterprise malware uses this key to reinstall an extension every time Chrome opens. Home users should not have anything in this key at all. Remove the entry and reboot. On macOS, the equivalent is a .plist under /Library/Managed Preferences/ — usually only present if a corporate MDM is in play.

After cleanup, do these account-side steps from a known-clean device:

• Sign out of all active sessions. In your Google Account at myaccount.google.com, go to Security → Your devices → Manage all devices and sign out of anything you do not recognise. This revokes session cookies the extension may have captured.
• Revoke third-party app permissions. Same Google Account page, Security → Third-party apps with account access. Remove anything granted via OAuth that you do not recognise. The Socket dataset specifically targeted Google identity tokens, so an attacker who landed an OAuth token may still hold access until you revoke it here.
• Terminate other Telegram sessions if you used Telegram Web. In Telegram → Settings → Devices → Terminate all other sessions. The Socket dataset's Telegram payload was session-token theft, so password change alone does not help.
• Rotate passwords. Start with Google, then anything sensitive you logged into in the last 30 days using the affected browser. If you reused passwords across sites, change them everywhere.
• Run a full antivirus scan. Cleaning the extension does not necessarily remove other payloads it may have introduced — see the next section.

What antivirus can and cannot do for browser-extension threats

Antivirus protects layers most browser-extension attacks do not touch directly. The big independent test labs measure that. AV-TEST's February 2026 Windows home-user cycle tested 16 consumer products against current malware (zero-day web and mail samples, prevalent malware, real-world infection scenarios). Bitdefender, Microsoft Defender, Norton, Kaspersky, and McAfee scored 6/6 on protection, performance, and usability; ESET scored 6/5.5/6 (AV-TEST). AV-Comparatives' Real-World Protection Test for February–March 2026 measured similar consumer products against live malicious URLs and reached comparable conclusions for the major paid suites (AV-Comparatives). AV-Comparatives notes explicitly that even a 100% score in that test does not mean a product blocks every web threat under every condition — it is a representative sample.

What this means for Chrome extensions specifically: a paid suite from any of the products above will catch a large share of malicious downloads, malicious URLs, and payloads that an extension drops to disk. None of the major vendors publish a public test that measures just extension-detection accuracy at the Chrome Web Store layer, so a category-leader claim there cannot be sourced from current public data. Treat antivirus as one layer of defence — strong on payload interception, downstream cleanup, and known-bad URL blocking — and the manual audit steps above as the layer that actually decides whether a Chrome extension stays on your machine.

Bitdefender ships TrafficLight as a free standalone browser extension that flags malicious sites it recognises, and Safepay as a hardened browser for banking that does not load any installed extensions at all — useful when you want a clean session. Norton 360 installs Safe Web in Chrome and blocks navigation to URLs on Norton's reputation list. ESET bundles Browser Protection in HOME Security Premium, focused on detecting credential-stealing scripts and banking-malware behaviours. Malwarebytes Browser Guard is free, runs alongside another antivirus, and blocks tracker and ad domains plus malicious URLs from Malwarebytes' threat feed.

If you want one paid product, Bitdefender and Norton are both defensible picks based on recent independent Windows protection tests; pair either with Malwarebytes Browser Guard for an extra browser-layer filter. If you want layered protection without paying twice, Malwarebytes Browser Guard plus Microsoft Defender is a reasonable free stack. For a broader shortlist see our For a ranked, side-by-side breakdown, see our Best Browser Security Tools hub. best malware removal and best internet security hub pages.

Frequently Asked Questions

Are Chrome extensions safe if they're on the official Web Store?

Not automatically. Every campaign covered in this article was distributed through the official Chrome Web Store. Google's static review runs against the extension package; when the payload lives on a remote server the extension fetches at runtime — as in the LayerX iframe-overlay campaign Malwarebytes covered — the review can miss it.

Will resetting Chrome remove a malicious extension?

Chrome's Reset settings option disables extensions and clears settings, but it does not delete extension folders from your profile and does not remove enterprise-policy entries. For an extension installed via Group Policy you also need to clear the policy in chrome://policy and at its source (registry key on Windows, .plist on macOS).

How often should I audit my extensions?

Every three months is a reasonable baseline, plus any time Chrome behaves differently — new tabs opening, search results redirecting, ad density jumping. The March 2026 ownership-transfer case showed that an extension you trusted last year can be unsafe this year without you doing anything.

Do mobile Chrome browsers support extensions?

Chrome on Android does not support traditional extensions, so the threats in this article are desktop-only. iOS Chrome does not support extensions either. Mobile users still need to watch for malicious apps, but the Web Store campaigns described here do not affect them.

Does Incognito mode block malicious extensions?

Only if you have explicitly denied each extension permission to run in Incognito. By default extensions do not run in Incognito sessions, but many users opt them in for password managers and never disable that toggle later. Check chrome://extensions/ and turn off Allow in Incognito for anything you do not need there.

Should I trust extensions with millions of users?

Install count is a weak signal. The 108 Socket extensions had around 20,000 installs combined, while the LayerX/Malwarebytes cluster reached 260,000-plus. High install counts mean an extension acquired enough trust signal to spread, not that the code is safe. Permissions and publisher history matter more than the install number.