11 Chrome Extensions with Google Verified Badge Compromise Over 1.7 Million Users

A recent investigation has uncovered a major security incident involving at least 11 Chrome extensions many bearing Google’s prestigious “verified” badge and featured placements that covertly compromised over 1.7 million users.

These extensions, which offered legitimate features such as color pickers, emoji keyboards, and VPN proxies, were weaponized in a widespread campaign dubbed “RedDirection.”

The operation demonstrates how sophisticated threat actors are exploiting user trust and supply chain vulnerabilities in Chrome and Edge browser extension marketplaces.

Stealthy Malware Hidden in Trusted Tools

The initial focus was on “Color Picker, Eyedropper Geco colorpick,” an extension that for years operated legitimately and amassed over 100,000 installs and hundreds of positive reviews.

The extension’s status and professional functionality offered reassurance to users and security reviewers alike.

However, a recent update added malicious code that hijacked browser sessions, tracked every website visited, and established a persistent backdoor via a command and control infrastructure. Further analysis revealed that this pattern extended far beyond a single extension.

The RedDirection campaign, orchestrated by what appears to be a centralized threat actor, encompassed 18 different extensions across both Chrome and Edge stores, each masquerading as a helpful productivity or entertainment tool.

Extensions such as “Video Speed Controller,” “Volume Max,” “Unlock Discord – VPN Proxy,” and “Free Weather Forecast” all maintained their promised functionality while secretly surveilling user activity on every tab navigation.

The method of compromise was particularly insidious. The malware was deployed through version updates, meaning millions of users who trusted these extensions experienced seamless, automatic infection without ever needing to interact with the extension post-install.

The malicious code tracked browsing activity, sending unique identifiers and URLs to remote servers, and could issue real-time redirects to phishing or malware-laden pages.

Scenarios included redirecting users attempting to join Zoom meetings to fake update pages or spoofing banking logins to harvest credentials.

Marketplace Trust Signals Turned Against Users

The RedDirection campaign underscores a fundamental breakdown in browser extension marketplace security.

Google and Microsoft’s review and verification processes failed to identify the threat, allowing malicious extensions to remain listed and, in some cases, promoted to users with verified badges and featured slots.

The attackers systematically exploited every trust signal on offer: verification, install counts, reviews, featured placement, and years of benign operation.

This supply chain attack hijacked the very credibility mechanisms browsers rely on to protect users.

According to the Report, Security researchers warn that this approach marks an escalation in threat actor sophistication, shifting from opportunistic attacks to strategic, long-term infiltration of the digital supply chain.

The campaign’s ability to lay dormant for long periods before activating its malicious payload enabled mass infection before detection.

Extension marketplaces, optimized for scale and frictionless updates, amplified the reach of the malware.

Users of affected extensions are urged to uninstall them immediately, clear browser data, and run comprehensive malware scans.

Enterprises are advised to reevaluate extension management policies and supplement marketplace review processes with dedicated security tooling.

The RedDirection campaign is a wake-up call for browser vendors and the broader software supply chain, exposing the urgent need for enhanced scrutiny, monitoring, and transparency in extension ecosystems.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates