TL;DR: Malicious browser extensions are increasingly used to compromise employee browsers by abusing legitimate installs, update channels, and store trust checks, according to Push Security. Existing IAM and endpoint controls often miss this browser-level identity layer, so allowlisting, inventory, and change monitoring now matter more than static review alone.
NHIMG editorial — based on content published by Push Security: Detect risky and malicious extensions and block them from running in employee browsers
By the numbers:
- The Chrome extension store alone has in excess of 100k extensions with a wide range of use cases.
Questions worth separating out
Q: What breaks when malicious browser extensions are not governed properly?
A: What breaks is the assumption that browser trust is fixed at install time.
Q: Why do browser extensions increase identity and access risk?
A: Browser extensions sit inside the authenticated browser session, so they can observe or influence access without a separate login.
Q: How do security teams decide which browser extensions to allow?
A: Start with a live inventory, then review install count, publisher trust, ownership history, permissions, deployment method, and whether the extension has been unlisted or recently updated.
Practitioner guidance
- Inventory every extension in use Build a live list of extension name, ID, version, permissions, deployment method, and which employees and browsers have it installed.
- Block known-bad extensions by default Configure enforcement so reported malicious extensions are disabled rather than merely observed, and make sure the control also blocks store access where possible.
- Prune the allowlist continuously Review ownership changes, install counts, and permission changes on a regular cadence so previously acceptable extensions do not remain trusted after their risk profile shifts.
What's in the full article
Push Security's full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step browser extension visibility settings and admin console workflow
- Detailed controls for Monitor versus Block modes and how detections are classified
- Guidance on connecting extension detections into SIEM, SOAR, REST API, and webhooks
- Practical browser-sync and profile management tips for mixed work and personal usage
👉 Read Push Security's guide to managing malicious browser extensions →
Browser extension risk management: are your controls keeping up?
Explore further
Browser extension governance is an identity problem, not just a software inventory problem. Extensions operate inside authenticated sessions and can act on behalf of the user without receiving separate identity events. That means the control plane has to see more than install state, because ownership change, update drift, and browser sync can all alter risk after approval. Practitioner conclusion: extension governance belongs in the same conversation as session security and browser-based access control.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to the 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: What should teams do when extension syncing crosses work and personal profiles?
A: Treat synced browser profiles as a boundary issue, not a convenience setting. If a personal profile can sync extensions into a work browser, separate the profiles, reduce syncing where possible, and review whether browser access is being inherited across devices that do not share the same security posture.
👉 Read our full editorial: Malicious browser extensions expose a browser identity gap
Browser extension governance is an identity problem, not just a software inventory problem. Extensions operate inside authenticated sessions and can act on behalf of the user without receiving separate identity events. That means the control plane has to see more than install state, because ownership change, update drift, and browser sync can all alter risk after approval. Practitioner conclusion: extension governance belongs in the same conversation as session security and browser-based access control.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to the 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: What should teams do when extension syncing crosses work and personal profiles?
A: Treat synced browser profiles as a boundary issue, not a convenience setting. If a personal profile can sync extensions into a work browser, separate the profiles, reduce syncing where possible, and review whether browser access is being inherited across devices that do not share the same security posture.
👉 Read our full editorial: Malicious browser extensions expose a browser identity gap