Free VPN extensions: what browser teams need to block and monitor

TL;DR: A persistent campaign of malicious “free” VPN and ad-blocking extensions has amassed more than 9 million installs across past variants, used remote configuration, navigation interception, and proxy control to redirect traffic and exfiltrate browsing data, according to LayerX Security. Browser extension trust is now an identity and access problem, not just a user-choice problem.

NHIMG editorial — based on content published by LayerX Security: RolyPoly VPN, the malicious free VPN extension campaign

By the numbers:

• Two of the extensions were available in the Chrome Web Store for nearly six years before removal in May 2025.

Questions worth separating out

Q: How should security teams control risky browser extensions in the enterprise?

A: Treat browser extensions as governed access software, not lightweight add-ons.

Q: Why do browser extensions with proxy access increase identity risk?

A: Because they operate inside the authenticated browser session and can observe or alter traffic after login.

Q: What breaks when extension behaviour can change after store review?

A: Static approval breaks down because the reviewed code is no longer the whole control surface.

Practitioner guidance

• Inventory and classify browser extensions Build an enterprise inventory of installed extensions by user, device, and browser, then classify each extension by permission set, outbound connectivity, and business justification.
• Block high-risk extension patterns at the policy layer Restrict installation of proxy-capable, ad-blocking, and VPN extensions unless they are explicitly approved.
• Monitor for proxy and preference tampering Alert on PAC file changes, browser preference edits, extension disable events, and new outbound configuration fetches from extension domains.

What's in the full article

LayerX Security's full blog covers the operational detail this post intentionally leaves for the source:

• The extension metadata table with IDs, install history, support domains, and removal status for each variant.
• The code-path breakdown showing method hijacking, PAC script behaviour, dynamic rules, and service-worker persistence.
• The full IOC list, including support domains and extension IDs, for investigation and blocking workflows.
• The remediation checklist for user devices, browser profiles, and enterprise network controls.

👉 Read LayerX Security's analysis of the malicious free VPN extension campaign →

Free VPN extensions: what browser teams need to block and monitor?

Explore further

View Full Forum →  |  NHI Foundation Course →