A critical vulnerability affecting both Google Chrome and Microsoft Edge has led to urgent warnings for users to remove certain browser extensions. Discovered by Google’s Threat Analysis Group, this zero-day flaw, identified as CVE-2025-6554, allows potential attackers to execute arbitrary read/write actions via a specially crafted HTML page. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that government employees update their browsers by July 23, 2025.
In addition to this vulnerability, cybersecurity firms Koi Security, LayerX, and Symantec have flagged a more insidious threat stemming from popular extensions available in official browser stores. Koi Security recently identified a list of 18 extensions that pose significant risks, having been installed millions of times by users seeking functionality in areas like productivity and entertainment.
The identified extensions, which range from emoji keyboards to VPN proxies, have been marketed with legitimate-sounding features. Koi Security’s team emphasized that even extensions bearing Google’s verified badge and boasting over 100,000 installs can be deceptive, stating, “If you think a Chrome extension with Google’s verified badge, 100,000+ installs, 800+ reviews, and featured placement on the store is trustworthy? Think again.”
These extensions, while appearing harmless, are reportedly embedding tracking capabilities and hijacking functions that compromise user privacy. They leverage a common code base, which has allowed cybersecurity teams to uncover extensive networks of malicious add-ons in the past. Some of the flagged extensions have even achieved verified status across both the Chrome Web Store and Microsoft Edge Add-ons store, indicating a widespread security lapse.
Koi Security highlighted that the malicious software operates through external command and control servers, which gives the illusion of multiple operators. In reality, these extensions are controlled by a centralized attack infrastructure. As a precaution, Koi Security advises immediate action for users who may have installed these extensions. They recommend the following steps:
– Remove all affected extensions immediately from Chrome and Edge.
– Clear browser data to eliminate stored tracking identifiers.
– Conduct a full system malware scan to check for additional infections.
– Monitor accounts for any suspicious activity, particularly if sensitive sites were visited.
– Review all installed extensions for similar suspicious behavior.
The complete list of identified extensions includes:
**For Google Chrome:**
– kgmeffmlnkfnjpgmdndccklfigfhajen — Emoji Keyboard Online
– dpdibkjjgbaadnnjhkmmnenkmbnhpobj — Free Weather Forecast
– gaiceihehajjahakcglkhmdbbdclbnlf — Video Speed Controller
– mlgbkfnjdmaoldgagamcnommbbnhfnhf — Unlock Discord VPN Proxy
– eckokfcjbjbgjifpcbdmengnabecdakp — Dark Theme Reader
– mgbhdehiapbjamfgekfpebmhmnmcmemg — Ultimate Sound Booster
– cbajickflblmpjodnjoldpiicfmecmif — Unblock TikTok Proxy
– pdbfcnhlobhoahcamoefbfodpmklgmjm — Unlock YouTube VPN
– eokjikchkppnkdipbiggnmlkahcdkikp — Color Picker
**For Microsoft Edge:**
– jjdajogomggcjifnjgkpghcijgkbcjdi — Unlock TikTok
– mmcnmppeeghenglmidpmjkaiamcacmgm — Volume Booster
– ojdkklpgpacpicaobnhankbalkkgaafp — Web Sound Equalizer
– lodeighbngipjjedfelnboplhgediclp — Header Value
– hkjagicdaogfgdifaklcgajmgefjllmd — Flash Player Emulator
– gflkbgebojohihfnnplhbdakoipdbpdm — YouTube Unblocked
– kpilmncnoafddjpnbhepaiilgkdcieaf — SearchGPT
– caibdnkmpnjhjdfnomfhijhmebigcelo — Unlock Discord
While some of these extensions have been removed from stores, Koi Security reports that many remain accessible at the time of publication. Users are strongly encouraged to verify their installed extensions against this list to safeguard their online security.
