RESEARCHERS have identified a new family of credential-stealing Chrome extensions in the Chrome Web Store, with 30 different extensions found stealing credentials from more than 260,000 users. The malicious extensions render a full-screen iframe pointing to a remote domain, overlaying the current webpage and visually mimicking the extension’s interface, and because this functionality was hosted remotely it was not included in the Web Store review.
The attackers used a technique known as “extension spraying,” employing different names and unique identifiers for basically the same extension. For users, searching by name is easy in the Manage extensions tab, but extension names are not unique, so a legitimate extension could be impersonated.
The guide emphasises searching by the unique 32-character extension ID, which remains the same even if the extension is renamed or reshipped, and provides removal steps focused on extensions installed by the user from the Web Store, plus guidance on where the Windows Extensions folder is located. This advice appears in the Malwarebytes piece published on 13 February 2026.