Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability
Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability
NEWS

Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability

Security researchers at Island discovered that 'Adblock for YouTube,' a Chrome extension with over 10 million installs and a Featured badge, contains a...

Dylan H.

News Desk

June 25, 2026
3 min read

A widely trusted Chrome browser extension has been found to contain a pre-wired remote code execution backdoor sitting dormant in over 10 million browsers — waiting for a single server-side configuration change to activate it.

The Extension

Adblock for YouTube (Chrome Web Store ID: cmedhionkhpnakcndndgjdbohmhepckk) is a popular ad-blocking extension carrying Google's "Featured" badge, indicating it meets elevated quality and trust standards. It has accumulated more than 10 million installs. Researchers at browser security firm Island discovered the hidden capability during a routine extension audit.

What Was Found

Buried within the extension is a custom scriptlet rule named trusted-create-element. According to Island's analysis, this rule provides "the architectural ingredients for arbitrary JavaScript execution on any website, activated by a single server-side configuration change — without an extension update and without triggering any store review."

In practice, this means the extension's operator could silently push a configuration change to all 10 million installed instances, enabling the injection of arbitrary <script> elements on any page the user visits — all without distributing a new version of the extension or triggering any Chrome Web Store security review.

What a Malicious Activation Could Do

If the dormant payload were activated, threat actors could use it to:

  • Steal credentials and session tokens from any website
  • Exfiltrate sensitive data from banking portals, admin panels, and corporate SaaS apps
  • Impersonate users across personal and work accounts
  • Execute arbitrary JavaScript in the context of any page, including internal enterprise applications

A Pattern of Malicious Siblings

The discovery doesn't exist in isolation. Three related extensions — Adblock for Chrome, Adblock for You, and AdBlock Suite — were previously removed from the Chrome Web Store for actively distributing malware, suggesting the same developer network has a history of weaponizing browser extensions.

Current Status

At the time of reporting, the payload in Adblock for YouTube remains dormant — it has not been activated against users. Island researchers contacted the developer directly. Google has not issued a public statement, and the extension remains available in the Chrome Web Store.

What Users Should Do

  • Remove Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk) from Chrome immediately
  • Audit all installed browser extensions — especially those with broad host permissions (<all_urls>) or scriptlet rule capabilities
  • Prefer extensions from well-known, audited organizations with transparent codebases
  • Enterprise administrators should review browser extension policies and consider allowlisting approaches for managed devices

Broader Implications

This incident highlights a structural weakness in the browser extension ecosystem: a "Featured" badge provides a false sense of security. Extensions with millions of installs and trusted branding can still carry server-activatable payloads that entirely bypass the Chrome Web Store review process. The attack surface is not the code published to the store — it is the remote configuration the code obeys.

#Google#Chrome#Browser Security#Malware#Extensions

Related Articles

Fake Perplexity Extension on Chrome Web Store Tracked Searches and Harvested Browsing Data

A malicious extension masquerading as the Perplexity AI answer engine was discovered on the Chrome Web Store, intercepting search traffic and collecting...

3 min read

Chrome 148 Update Patches 151 Vulnerabilities Including Critical RCE Flaws

Google has released Chrome 148 with patches for 151 security vulnerabilities, including critical-severity flaws that could allow remote code execution....

4 min read

Google Fixes Fourth Chrome Zero-Day Exploited in Attacks in 2026

Google has patched the fourth Chrome zero-day vulnerability actively exploited in attacks this year, a use-after-free flaw in the Dawn graphics engine...

5 min read
Back to all News