Google removed or disabled extensions affecting over 8.8 million Chrome users in coordinated malware campaigns between late 2024 and early 2026, according to reports from Koi Security, GitLab, and Cyberhaven. The Chrome Web Store now hosts roughly 111,933 extensions, down from a peak above 137,000, as Google tightened enforcement against malicious add-ons, affiliate fraud, and outdated Manifest V2 code. Roughly 350 million users still run extensions flagged as “security-noteworthy” by researchers, and 60% of all Chrome extensions have not received an update in the past 12 months.
Banned Chrome Extensions Key Statistics (2026)
- Over 5.8 million users were directly affected by documented malicious Chrome extensions in 2024-2025, according to multiple security firms.
- The DarkSpectre threat group’s three campaigns (ShadyPanda, GhostPoster, Zoom Stealer) collectively impacted 8.8 million users across Chrome, Edge, and Firefox.
- Chrome permanently disabled all remaining Manifest V2 extensions in Chrome 139, released July 2025.
- 73.4% of Chrome extensions had migrated to Manifest V3 by August 2025.
- 29 affiliate-fraud extensions targeting Amazon, AliExpress, and Walmart were identified in January 2026, replacing content creators’ referral links.
Banned Chrome Extensions Timeline: Major Incidents (2024-2026)
The wave of Chrome extension bans accelerated in late 2024 when Cyberhaven, a data-loss prevention company, discovered its own extension had been compromised through a developer phishing attack on December 24, 2024. That incident was part of a broader campaign that affected over 35 extensions and 2.6 million users. Attackers gained access by sending fake Chrome Web Store policy violation emails to developers, tricking them into granting OAuth permissions to malicious apps.
By February 2025, GitLab’s security team identified 16 more hijacked extensions, including emoji keyboards, ad blockers, and screen capture tools, reaching 3.2 million users before Google pulled them. These extensions actually performed their advertised functions while silently running malicious service worker code in the background.
In December 2025, the ShadyPanda operation was exposed by Koi Security. This campaign had been running for over seven years, with 20 malicious Chrome extensions and 125 on the Edge Add-ons store. Extensions that started as simple wallpaper tools in 2018 received silent updates years later that added data collection capabilities. The operation affected 4.3 million users across both browsers.
The Trust Wallet breach followed on December 24, 2025, when attackers compromised version 2.68 of the wallet’s Chrome extension through a leaked Chrome Web Store API key. That attack resulted in an estimated $7-8.5 million in cryptocurrency theft from 2,520 wallet addresses.
Banned Chrome Extensions by Category
Malicious extensions don’t fit a single profile. The most commonly blocked extensions in enterprise environments span several categories, from productivity tools and VPN apps to AI-powered assistants. Here’s how the documented bans break down by type.
| Extension Category | Users Affected | Primary Threat |
|---|---|---|
| Ad Blockers / Privacy Tools | 3.2M+ | Hijacked developer accounts |
| Productivity / Wallpaper | 4.3M+ | Sleeper malware (ShadyPanda) |
| VPN / Free Tools | 840K+ | Steganography payloads (GhostPoster) |
| AI Assistants | Unknown | Data exfiltration, token theft |
| Shopping / Coupon | 29 extensions | Affiliate link hijacking |
| Cryptocurrency Wallets | 2,520 wallets | Supply chain / API key compromise |
Manifest V3 Transition and Banned Chrome Extensions
Google’s Manifest V3 migration is the largest structural change to the Chrome extension platform since its launch. MV3 replaced the webRequest API with the more restrictive declarativeNetRequest API, limiting how extensions intercept and modify network requests. Google started disabling MV2 extensions for pre-stable Chrome users in June 2024 and completed the transition with Chrome 139 in July 2025.
As of August 2025, 73.4% of actively maintained extensions had migrated to MV3. That still left over 5,000 extensions on MV2, all of which were disabled or removed. The Chrome Web Store’s total extension count dropped from 137,000 to about 111,933, partly from this cleanup.
The migration hit ad blockers hardest. uBlock Origin, which had over 10 million Chrome users, was removed from the Chrome Web Store in late 2024 because it relies on MV2’s webRequest API for real-time request filtering. A reduced-functionality version, uBlock Origin Lite, grew from under 1 million users in mid-2024 to over 8 million by late July 2025. Adblock Plus saw its user count fluctuate between 37 million and 44 million during the same period.
Banned Chrome Extensions and AI-Powered Threats
Fake AI extensions have become a growing attack vector. In January 2026, the University of South Florida flagged two Chrome extensions impersonating AI tools: “Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI” and “AI Sidebar with Deepseek, ChatGPT, Claude, and more.” Both were stealing users’ full ChatGPT and DeepSeek conversation histories, search data, and browsing activity.
According to an Incogni study published in January 2026, 42% of AI-powered Chrome extensions require the “scripting” permission, which can affect up to 92 million users. Programming and math-related AI extensions posed the greatest privacy risk, collecting more data and requesting more permissions than any other category. About 31.4% of AI extensions collected website content data, and 29.2% gathered personally identifiable information.
Enterprise environments face particular pressure. A report from LayerX found that 20% of enterprise users had installed GenAI extensions, with 58% of those requesting high-criticality permissions that could bypass corporate access controls.
Banned Chrome Extensions: Supply Chain Attack Methods
The tactics used to compromise Chrome extensions have become more varied. The December 2024 Cyberhaven breach used developer account phishing through fake policy violation emails. But attackers have since expanded their playbook.
Koi Security identified that DarkSpectre’s ShadyPanda campaign operated for over five years before activating malicious payloads. GhostPoster used steganography, hiding JavaScript code inside PNG icon files bundled with the extensions. A phishing kit discovered in January 2026 was being sold for $6,000, with the seller guaranteeing that extensions built with it would pass Google’s Chrome Web Store review process.
Attackers are also buying legitimate extensions outright from their developers, then pushing malicious updates to the existing user base. This method avoids the need for phishing entirely and exploits the trust users have already placed in the original product.
Common Attack Vectors for Banned Chrome Extensions
| Attack Method | Example Campaign | Detection Difficulty |
|---|---|---|
| Developer phishing (OAuth) | Cyberhaven (Dec 2024) | Medium |
| Sleeper updates (years-long delay) | ShadyPanda (2018-2025) | High |
| Steganography in images | GhostPoster (2020-2025) | Very High |
| Extension marketplace purchase | Multiple (2025-2026) | High |
| API key compromise | Trust Wallet (Dec 2025) | Medium |
| Phishing kit-as-a-service | CWS bypass kit (Jan 2026) | Low (passed review) |
How to Check for Banned Chrome Extensions
Go to chrome://extensions/ in your address bar. Any disabled or flagged extension will appear at the top with a warning message. Remove extensions you don’t recognize or no longer use. Google recommends auditing installed extensions regularly and checking that each one has been updated within the past year.
Removal from the Chrome Web Store does not automatically uninstall a compromised extension from your browser. Users must manually remove flagged add-ons. Enterprise IT administrators can use Chrome’s managed extension policies to blocklist specific extension IDs across their organization.
FAQ
How many Chrome extensions were banned in 2024-2026?
Google removed dozens of extensions across multiple campaigns. The largest incidents affected over 35 extensions in December 2024, 16 in February 2025, and 29 affiliate-fraud extensions in January 2026.
Why was uBlock Origin removed from Chrome?
uBlock Origin depended on the Manifest V2 webRequest API. Google’s MV3 transition replaced this API, and uBlock Origin was removed from the Chrome Web Store in late 2024. A lighter version, uBlock Origin Lite, is still available.
How many users were affected by malicious banned Chrome extensions?
Over 8.8 million users were affected by the DarkSpectre campaigns alone. Combined with other documented incidents, the total exceeds 5.8 million in direct malware exposure during 2024-2025.
Are AI Chrome extensions safe to install in 2026?
Many AI extensions request high-risk permissions. An Incogni study found 42% require scripting access, and 29.2% collect personal data. Stick to well-known developers and check permissions before installing.
What is Manifest V3 and how does it affect banned Chrome extensions?
Manifest V3 is Google’s updated extension framework, fully enforced since Chrome 139 (July 2025). It restricts how extensions access web requests, which disabled thousands of MV2 extensions but also limited some legitimate ad-blocking tools.
