Microsoft pulls Edge extensions due to malware

Microsoft just pulled 119 extensions from the Edge add-on store, all tied to one campaign its researchers named StegoAd. The extensions were the kind people install without thinking twice. Ad blockers, VPNs, translators, video downloaders, calculators, coupon finders. Each one did the job it advertised, collected real reviews, and sat in the store for years. Between them they reached up to 2.6 million installs. Then, after a built-in delay, some of them woke up and started stealing Google passwords and the sign-in codes meant to protect them.

The trick that names the campaign is steganography, hiding code inside a file that looks like an ordinary picture. The nefarious instructions were tucked into the image and font files the extension came with. The extension pulled that code out and ran it, but only after it had been installed for a while. A scanner checking the extension sees a translator and some images. The harmful part is not there to catch until the moment it runs.

That delay was deliberate. Microsoft says the payload held back for days, checked whether it was being watched, and went dormant if developer tools were open. On some versions it only fired for about one in ten installs. So the 2.6 million is a ceiling, not a count of victims, and Microsoft does not know how many people were actually hit. What it does know: the same code that ran ad fraud in the background could harvest WordPress logins and grab your Google credentials at the moment you signed in.

Microsoft ties StegoAd to a group it has tracked since at least 2021, the same operation researchers have linked to two earlier waves of poisoned extensions. The company removed all 119 and suspended more than 90 of the developer accounts behind them. It also published the technical fingerprints so Chrome, Firefox, and other browsers can check for the same thing.

The advice we all repeat is to only install from the official store and check the reviews first. Both of those failed here. These came from the official Edge store. They had real reviews from real people who installed a coupon finder that found coupons and never saw the rest. Reviews tell you whether a tool works. They cannot tell you what else it is doing in the background, or what it will start doing after an update six months from now.

Getting better at spotting a bad extension at install time will not save you. You probably can't tell. The better habit is to treat the extensions you already have like a junk drawer and clean it out. Most of us have a dozen in there, half we don't remember adding. Each one is a small program that can read what is on your screen, and you are trusting it to stay friendly indefinitely.

A few steps you can take this week:

• Open your extensions list. In Edge, type edge://extensions in the address bar. In Chrome, it's chrome://extensions. You'll see everything installed, including the ones you forgot about.
• Remove anything you don't actively use. If you can't remember why it's there or what it does, take it out. You can always add it back later.
• Check the survivors against Microsoft's list. Microsoft published the full list of bad extension IDs in its report. If one you kept is on that list, or Edge already removed one for you, treat that browser as exposed.
• If you were exposed, change the passwords that matter. Google first, then anything you bank or shop with, then any site where you run a website. After that, check your account's recent sign-in activity for logins you don't recognize.
• Move your important accounts to a passkey or security key. This malware grabbed text-message and app codes as people typed them, so a code-based second factor would not have stopped it. A passkey or a physical security key works differently. There is nothing to type and nothing to hand over. That is what makes it worth setting up on the accounts you most want to keep.

This doesn't mean extensions are bad, or that you need to strip your browser bare. The good ones save real time, and most developers are honest. The problem is that the store listing and the star rating, the two things we're told to trust, are exactly what a patient attacker can earn. Microsoft caught this one after it ran for years. It's the same patience behind the fake update pop-ups police took down last week. The next batch is already in there somewhere, working perfectly, waiting.

Sources

• Microsoft Edge Vulnerability Research, "Inside StegoAd: How We Disrupted a Massive Malicious Extension Campaign" (2026). Link
• Malwarebytes, "119 Edge extensions promised useful tools, instead downloaded malware" (2026). Link
• The Hacker News, "Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts" (2026). Link