Researchers have found yet another family of malicious extensions in the Chrome Web Store. This time , 30 different Chrome extensions were found stealing credentials from more than 260,000 users. The extensions rendered a full-screen iframe pointing to a remote domain. This iframe overlaid the current webpage and visually appeared as the extension’s interface. Because this functionality was hosted remotely, it was not included in the review that allowed the extensions into the Web Store. In other recent findings, we reported about extensions spying on ChatGPT chats , sleeper extensions that monitored browser activity , and a fake extension that deliberately caused a browser crash . To spread the risk of detections and take-downs, the attackers used a technique known as “extension spraying.” This means they used different names and unique identifiers for basically the same extension. What often happens is that researchers provide a list of extension names and IDs, and it’s up to users to figure out whether they have one of these extensions installed. Searching by name is easy when you open your “Manage extensions” tab, but unfortunately extension names are not unique. You could, for example, have the legitimate extension installed that a criminal tried to impersonate. Searching by unique identifier For Chrome and Edge, a browser extension ID is a unique 32‑character string of lowercase letters that stays the same even if the extension is renamed or reshipped. When we’re looking at the extensions from a removal angle, there are two kinds: those installed by the user, and those force‑installed by other means (network admin, malware, Group Policy Object (GPO), etc.). We will only look at the first type in this guide—the ones users installed themselves from the Web Store. The guide below is aimed at Chrome, but it’s almost the same for Edge. How to find installed extensions You can review the installed Chrome extensions like this: In the address bar type chrome://extensions/ . This will open the Extensions tab and show you the installed extensions by name. Now toggle Developer mode to on and you will also see their unique ID. Don’t remove this one. It’s one of the good ones. Removal method in the browser Use the Remove button to get rid of any unwanted entries. If it disappears and stays gone after restart, you’re done. If there is no Remove button or Chrome says it’s “Installed by your administrator,” or the extension reappears after a restart, there’s a policy, registry entry, or malware forcing it. Alternative Alternatively, you can also search the Extensions folder. On Windows systems this folder lives here: C:\Users\ <your‑username> \AppData\Local\Google\Chrome\User Data\Default\Extensions . Please note that the AppData folder is hidden by default. To unhide files and folders in Windows, open Explorer, click the View tab (or menu), and check the Hidden items box. For more advanced options, choose Options > Change folder and search options > View tab , then select Show hidden files, folders, and drives . Chrome extensions folder You can organize the list alphabetically by clicking on the Name column header once or twice. This makes it easier to find extensions if you have a lot of them installed. Deleting the extension folder here has one downside. It leaves an orphaned entry in your browser. When you start Chrome again after doing this, the extension will no longer load because its files are gone. But it will still show up in the Extensions tab, only without the appropriate icon. So, our advice is to remove extensions in the browser when possible. Malicious extensions Below is the list of credential-stealing extensions using the iframe method, as provided by the researchers. Extension ID Extension name acaeafediijmccnjlokgcdiojiljfpbe ChatGPT Translate baonbjckakcpgliaafcodddkoednpjgf XAI bilfflcophfehljhpnklmcelkoiffapb AI For Translation cicjlpmjmimeoempffghfglndokjihhn AI Cover Letter Generator ckicoadchmmndbakbokhapncehanaeni AI Email Writer ckneindgfbjnbbiggcmnjeofelhflhaj AI Image Generator Chat GPT cmpmhhjahlioglkleiofbjodhhiejhei AI Translator dbclhjpifdfkofnmjfpheiondafpkoed Ai Wallpaper Generator djhjckkfgancelbmgcamjimgphaphjdl AI Sidebar ebmmjmakencgmgoijdfnbailknaaiffh Chat With Gemini ecikmpoikkcelnakpgaeplcjoickgacj Ai Picture Generator fdlagfnfaheppaigholhoojabfaapnhb Google Gemini flnecpdpbhdblkpnegekobahlijbmfok ChatGPT Picture Generator fnjinbdmidgjkpmlihcginjipjaoapol Email Generator AI fpmkabpaklbhbhegegapfkenkmpipick Chat GPT for Gmail fppbiomdkfbhgjjdmojlogeceejinadg Gemini AI Sidebar gcfianbpjcfkafpiadmheejkokcmdkjl Llama gcdfailafdfjbailcdcbjmeginhncjkb Grok Chatbot gghdfkafnhfpaooiolhncejnlgglhkhe AI Sidebar gnaekhndaddbimfllbgmecjijbbfpabc Ask Gemini gohgeedemmaohocbaccllpkabadoogpl DeepSeek Chat hgnjolbjpjmhepcbjgeeallnamkjnfgi AI Letter Generator idhknpoceajhnjokpnbicildeoligdgh ChatGPT Translation kblengdlefjpjkekanpoidgoghdngdgl AI GPT kepibgehhljlecgaeihhnmibnmikbnga DeepSeek Download lodlcpnbppgipaimgbjgniokjcnpiiad AI Message Generator llojfncgbabajmdglnkbhmiebiinohek ChatGPT Sidebar nkgbfengofophpmonladgaldioelckbe Chat Bot GPT nlhpidbjmmffhoogcennoiopekbiglbp AI Assistant phiphcloddhmndjbdedgfbglhpkjcffh Asking Chat Gpt pgfibniplgcnccdnkhblpmmlfodijppg ChatGBT cgmmcoandmabammnhfnjcakdeejbfimn Grok We don’t just report on threats—we remove them Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today .