{“lastseen”:”2026-02-13T14:05:09″,”description”:”Researchers have found yet another family of malicious extensions in the Chrome Web Store. This time, 30 different Chrome extensions were found stealing credentials from more than 260,000 users. \\n\\nThe extensions rendered a full-screen iframe pointing to a remote domain. This iframe overlaid the current webpage and visually appeared as the extension\u2019s interface. Because this functionality was hosted remotely, it was not included in the review that allowed the extensions into the Web Store.\\n\\nIn other recent findings, we reported about extensions spying on ChatGPT chats, sleeper extensions that monitored browser activity, and a fake extension that deliberately caused a browser crash.\\n\\nTo spread the risk of detections and take-downs, the attackers used a technique known as \u201cextension spraying.\u201d This means they used different names and unique identifiers for basically the same extension.\\n\\nWhat often happens is that researchers provide a list of extension names and IDs, and it\u2019s up to users to figure out whether they have one of these extensions installed.\\n\\nSearching by name is easy when you open your \u201cManage extensions\u201d tab, but unfortunately extension names are not unique. You could, for example, have the legitimate extension installed that a criminal tried to impersonate.\\n\\n## Searching by unique identifier\\n\\nFor Chrome and Edge, a browser extension ID is a unique 32\u2011character string of lowercase letters that stays the same even if the extension is renamed or reshipped.\\n\\nWhen we\u2019re looking at the extensions from a removal angle, there are two kinds: those installed by the user, and those force\u2011installed by other means (network admin, malware, Group Policy Object (GPO), etc.).\\n\\nWe will only look at the first type in this guide\u2014the ones users installed themselves from the Web Store. The guide below is aimed at Chrome, but it\u2019s almost the same for Edge.\\n\\n### How to find installed extensions\\n\\nYou can review the installed Chrome extensions like this:\\n\\n * In the address bar type `chrome:\/\/extensions\/`.\\n * This will open the Extensions tab and show you the installed extensions by name.\\n * Now toggle **Developer mode** to on and you will also see their unique ID.\\n\\nDon\u2019t remove this one. It\u2019s one of the good ones.\\n\\n### Removal method in the browser\\n\\nUse the **Remove** button to get rid of any unwanted entries.\\n\\nIf it disappears and stays gone after restart, you\u2019re done. If there is no **Remove** button or Chrome says it\u2019s \u201cInstalled by your administrator,\u201d or the extension reappears after a restart, there\u2019s a policy, registry entry, or malware forcing it.\\n\\n### Alternative\\n\\nAlternatively, you can also search the Extensions folder. On Windows systems this folder lives here: `C:\\\\Users\\\\_\\u003c your\u2011username\\u003e_\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Extensions`. \\n\\nPlease note that the AppData folder is hidden by default. To unhide files and folders in Windows, open Explorer, click the **View** tab (or menu), and check the **Hidden items** box. For more advanced options, choose **Options \\u003e Change folder and search options \\u003e View tab**, then select **Show hidden files, folders, and drives**.\\n\\nChrome extensions folder\\n\\nYou can organize the list alphabetically by clicking on the **Name** column header once or twice. This makes it easier to find extensions if you have a lot of them installed.\\n\\nDeleting the extension folder here has one downside. It leaves an orphaned entry in your browser. When you start Chrome again after doing this, the extension will no longer load because its files are gone. But it will still show up in the Extensions tab, only without the appropriate icon.\\n\\nSo, our advice is to remove extensions in the browser when possible.\\n\\n## Malicious extensions\\n\\nBelow is the list of credential-stealing extensions using the iframe method, as provided by the researchers.\\n\\nExtension ID| Extension name \\n—|— \\nacaeafediijmccnjlokgcdiojiljfpbe| ChatGPT Translate \\nbaonbjckakcpgliaafcodddkoednpjgf| XAI \\nbilfflcophfehljhpnklmcelkoiffapb| AI For Translation \\ncicjlpmjmimeoempffghfglndokjihhn| AI Cover Letter Generator \\nckicoadchmmndbakbokhapncehanaeni| AI Email Writer \\nckneindgfbjnbbiggcmnjeofelhflhaj| AI Image Generator Chat GPT \\ncmpmhhjahlioglkleiofbjodhhiejhei| AI Translator \\ndbclhjpifdfkofnmjfpheiondafpkoed| Ai Wallpaper Generator \\ndjhjckkfgancelbmgcamjimgphaphjdl| AI Sidebar \\nebmmjmakencgmgoijdfnbailknaaiffh| Chat With Gemini \\necikmpoikkcelnakpgaeplcjoickgacj| Ai Picture Generator \\nfdlagfnfaheppaigholhoojabfaapnhb| Google Gemini \\nflnecpdpbhdblkpnegekobahlijbmfok| ChatGPT Picture Generator \\nfnjinbdmidgjkpmlihcginjipjaoapol| Email Generator AI \\nfpmkabpaklbhbhegegapfkenkmpipick| Chat GPT for Gmail \\nfppbiomdkfbhgjjdmojlogeceejinadg| Gemini AI Sidebar \\ngcfianbpjcfkafpiadmheejkokcmdkjl| Llama \\ngcdfailafdfjbailcdcbjmeginhncjkb| Grok Chatbot \\ngghdfkafnhfpaooiolhncejnlgglhkhe| AI Sidebar \\ngnaekhndaddbimfllbgmecjijbbfpabc| Ask Gemini \\ngohgeedemmaohocbaccllpkabadoogpl| DeepSeek Chat \\nhgnjolbjpjmhepcbjgeeallnamkjnfgi| AI Letter Generator \\nidhknpoceajhnjokpnbicildeoligdgh| ChatGPT Translation \\nkblengdlefjpjkekanpoidgoghdngdgl| AI GPT \\nkepibgehhljlecgaeihhnmibnmikbnga| DeepSeek Download \\nlodlcpnbppgipaimgbjgniokjcnpiiad| AI Message Generator \\nllojfncgbabajmdglnkbhmiebiinohek| ChatGPT Sidebar \\nnkgbfengofophpmonladgaldioelckbe| Chat Bot GPT \\nnlhpidbjmmffhoogcennoiopekbiglbp| AI Assistant \\nphiphcloddhmndjbdedgfbglhpkjcffh| Asking Chat Gpt \\npgfibniplgcnccdnkhblpmmlfodijppg| ChatGBT \\ncgmmcoandmabammnhfnjcakdeejbfimn| Grok \\n \\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-02-13T13:27:34″,”modified”:”2026-02-13T13:27:34″,”type”:”malwarebytes”,”title”:”How to find and remove credential-stealing Chrome extensions”,”source”:””,”references”:””,”id”:”MALWAREBYTES:FC65126BAE82747F6C3DA72FFBAD0830″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/02\/how-to-find-and-remove-credential-stealing-chrome-extensions”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-13T14:05:09″,”description”:”Researchers have found yet another family of malicious extensions in the Chrome Web Store. This time, 30 different Chrome extensions were found stealing credentials from…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-40748","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n