TL;DR: A persistent campaign of malicious “free” VPN and ad-blocking extensions has amassed more than 9 million installs across past variants, used remote configuration, navigation interception, and proxy control to redirect traffic and exfiltrate browsing data, according to LayerX Security. Browser extension trust is now an identity and access problem, not just a user-choice problem.
NHIMG editorial — based on content published by LayerX Security: RolyPoly VPN, the malicious free VPN extension campaign
By the numbers:
- Two of the extensions were available in the Chrome Web Store for nearly six years before removal in May 2025.
Questions worth separating out
Q: How should security teams control risky browser extensions in the enterprise?
A: Treat browser extensions as governed access software, not lightweight add-ons.
Q: Why do browser extensions with proxy access increase identity risk?
A: Because they operate inside the authenticated browser session and can observe or alter traffic after login.
Q: What breaks when extension behaviour can change after store review?
A: Static approval breaks down because the reviewed code is no longer the whole control surface.
Practitioner guidance
- Inventory and classify browser extensions Build an enterprise inventory of installed extensions by user, device, and browser, then classify each extension by permission set, outbound connectivity, and business justification.
- Block high-risk extension patterns at the policy layer Restrict installation of proxy-capable, ad-blocking, and VPN extensions unless they are explicitly approved.
- Monitor for proxy and preference tampering Alert on PAC file changes, browser preference edits, extension disable events, and new outbound configuration fetches from extension domains.
What's in the full article
LayerX Security's full blog covers the operational detail this post intentionally leaves for the source:
- The extension metadata table with IDs, install history, support domains, and removal status for each variant.
- The code-path breakdown showing method hijacking, PAC script behaviour, dynamic rules, and service-worker persistence.
- The full IOC list, including support domains and extension IDs, for investigation and blocking workflows.
- The remediation checklist for user devices, browser profiles, and enterprise network controls.
👉 Read LayerX Security's analysis of the malicious free VPN extension campaign →
Free VPN extensions: what browser teams need to block and monitor?
Explore further
Browser extensions have become an access governance problem, not a simple endpoint hygiene problem. When an extension can see every navigation event, alter proxy behaviour, and change its own rules remotely, it is operating inside the trust boundary that IAM teams care about. That means session protection, extension allowlisting, and browser telemetry now sit alongside traditional identity controls. Practitioners should treat extension permissions as access grants with blast radius, not as convenience settings.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility.
A question worth separating out:
Q: Who is accountable when a browser extension intercepts corporate traffic?
A: Accountability sits with the organisation that allowed the extension into the managed environment and with the teams that own browser policy, endpoint governance, and identity controls. NIST Cybersecurity Framework 2.0 helps frame that responsibility through identify, protect, detect, respond, and recover, but operational ownership must be explicit.
👉 Read our full editorial: Malicious free VPN extensions show how browser trust gets abused