Here is something that will make you think twice the next time you casually install a browser add-on: a threat actor operating under the alias “Stenli” (also styled as Stanley) has started selling a service that claims to guarantee a malicious Chrome extension will pass Google’s Chrome Web Store moderation and land in the official repository. The service is being marketed to other criminals, and it comes with a price tag of anywhere between $2,000 and $6,000.
This malicious Chrome extension service is not just a theoretical offering. Security research firm Varonis has published an in-depth analysis of how it works, and the technical capabilities it delivers are considerably more dangerous than a typical browser-based threat. The concern here goes well beyond an extension that quietly tracks what you browse. This one can effectively hijack what you see on screen while keeping the address bar looking completely legitimate.
How the attack actually works
If you are not deeply familiar with browser security, the mechanics of this attack are worth walking through carefully, because they are genuinely clever in a way that makes them hard to detect in practice.
When a victim installs the extension, it does not announce itself or do anything obviously suspicious. Instead, it waits for the user to navigate to certain websites, then covers the real page with a full-screen iframe. An iframe, for those unfamiliar with the term, is essentially a window-within-a-window that a webpage can display. In this case, the malicious extension uses the iframe to display a completely fabricated version of the site the user intended to visit.
The example Varonis used to illustrate this is Coinbase, the cryptocurrency exchange. A user types in the correct Coinbase address, the browser takes them to the right URL, and the address bar correctly shows the legitimate Coinbase domain. But what actually appears on screen is not the real Coinbase website. It is a spoofed replica, designed to capture whatever the user types into it, including their login credentials.
Because the address bar remains untouched, the usual advice of checking the URL to verify you are on the right site offers no protection here. The URL is right. The page is not. That is a meaningful distinction, and it is precisely the kind of gap that makes this malicious Chrome extension service so unsettling.
Push notifications make it even harder to spot
The credential-stealing iframe is already a serious problem, but the extension does not stop there. It can also send push notifications to the victim’s device, and these notifications appear to come directly from the Chrome browser itself, because technically that is what is sending them.
Push notifications from Chrome carry a level of implicit trust for most users. If your browser is telling you something, there is a reasonable assumption that it is legitimate system communication rather than an attacker piggybacking on the browser’s notification channel. The malicious Chrome extension service exploits exactly that trust, using browser-native notifications to reinforce the phishing attack and make it significantly harder for users to identify something is wrong.
The combination of a convincing spoofed page, a correct-looking address bar, and notifications that appear to originate from Chrome itself creates a layered deception that is genuinely difficult to detect without knowing specifically what to look for.
Why the standard advice is not good enough here
The most common piece of advice when it comes to browser extension security is to only install add-ons from the official Chrome Web Store, on the basis that Google’s review process filters out malicious software before it reaches users. That advice has always had limitations, but the existence of this service makes it explicitly inadequate.
Varonis was direct about this in their analysis, stating that the usual recommendation has become “insufficient” given that malware is now being commercially guaranteed passage through the very review process that advice relies upon. If a threat actor can pay a few thousand dollars and have a malicious extension successfully pass moderation and appear in the official store, the store’s presence on an extension’s page is no longer a reliable signal of safety.
The price point of $2,000 to $6,000 is also worth considering in context. That is not an insurmountable cost for a criminal operation targeting cryptocurrency accounts, business credentials, or corporate banking systems. A single successful credential theft from the right target could easily recoup that investment many times over.
What enterprises and individual users should actually do
Given that the standard advice has been called out as insufficient, the question becomes what actually works.
For enterprises, Varonis recommends implementing strict allowlisting of browser extensions. Both Chrome Enterprise and Microsoft Edge for Business give IT administrators the ability to block all extensions by default, permitting only those that have been explicitly reviewed and approved by the organisation. This requires ongoing management. Approved lists need to be maintained, new requests from employees need to be evaluated, and exceptions need to be handled. But it closes the door on threats that slip through store moderation entirely, which is the only approach that addresses the root problem here.
For individual users who do not have the benefit of enterprise-level controls, the advice from Varonis is to periodically audit all installed extensions and remove anything that is not actively and regularly used. Every extension sitting unused is a potential attack surface that serves no practical purpose. Cutting down on installed extensions reduces the number of potential vectors an attacker can exploit.
Paying close attention to the permissions an extension requests during installation is also useful. Any extension asking for access to all websites or to browsing history should be treated as a red flag and scrutinised carefully before being allowed through. There are legitimate extensions that need broad permissions to function, but it is worth understanding why a specific extension needs those permissions before granting them.
