ExtensionTrust

Why Browser Extensions Get Sold — and Turn Malicious

By

A trusted browser extension turning malicious after being sold

One of the most under-appreciated risks in browser security isn't a brand-new malicious extension — it's a trusted one that changes hands. You installed it years ago, it works fine, and then one day an auto-update turns it into adware or a tracker. You never clicked anything. Here's how it happens, and how to protect yourself.

The economics: your install base is the product

A popular extension with hundreds of thousands of users is valuable. Buyers approach independent developers — often by email — and offer to purchase the extension outright. For a solo developer maintaining a free tool in their spare time, the offer can be hard to refuse. Once ownership transfers, the new owner controls the auto-update channel that pushes code to every existing user. That's the asset they paid for: silent write access to all those browsers.

What the new owners do

  • Inject ads or affiliate links into the pages you visit.
  • Track and sell your browsing history.
  • Insert tracking or malware that exfiltrates data.

Because the update arrives through the official store, it carries the trust the original developer earned — until users notice, report it, and the store eventually removes it. By then the damage is done.

Real cases

The Great Suspender

A hugely popular extension that suspended inactive tabs to save memory, with millions of users. In mid-2020 it was sold to an unknown party. The new owner added tracking and the ability to execute remote code. In February 2021, Google removed it from the Chrome Web Store and forcibly disabled it for users. A trusted productivity tool became a liability through nothing more than a change of ownership.

Nano Adblocker & Nano Defender

Also in 2020, these popular ad-blocking extensions were sold to new developers. Researchers found the updated versions sending user data to remote servers. They were pulled from the store, but not before the malicious updates reached users.

How to protect yourself

  1. Audit your installed extensions periodically. Remove anything you no longer use — every extension is attack surface.
  2. Watch for behaviour changes after updates. Sudden ads, new permissions, or a different feel are warning signs.
  3. Read recent reviews. Users are usually first to flag "this turned into adware after the update".
  4. Prefer extensions with stable, identifiable ownership and a track record of consistent updates from the same publisher.

How we track this

Ownership stability is part of our Maintenance & Ownership pillar. When we have evidence that an extension changed hands or was removed from a store, we surface it prominently on its profile and in our policy & permission alerts and removed & compromised extensions tracker — so a quiet change of owner doesn't stay quiet. Read more about how to vet an extension, or check one now with our safety checker.

Extensions mentioned in this guide — verified by us