Meeting enhancement extensions reviewed: security analysis, privacy risks & safer alternatives
18 Chrome, Firefox, and Edge meeting extensions with 2.2M installs secretly harvested corporate meeting data. Here's what they did and how to check yours.
If you have any Zoom-related extension installed right now, read this before your next meeting.
In early 2026, security researchers uncovered 18 browser extensions collectively installed across 2.2 million Chrome, Firefox, and Edge browsers — all of them silently harvesting corporate meeting data. The largest, Chrome Audio Capture, had over 800,000 users alone. Every single one of these extensions worked exactly as advertised. That was the point.
Quick verdict
- Extensions reviewed: 18 meeting-enhancement extensions including Chrome Audio Capture and similar tools in the same campaign
- Risk level: High — real-time data exfiltration during every meeting you joined
- What was taken: Meeting URLs with embedded passwords, attendee names, job titles, company affiliations, speaker bios, scheduled times
- Current status: All 18 removed from Chrome Web Store, Firefox Add-ons, and Edge Add-ons
- Bottom line: These specific extensions are gone, but the meeting-helper category remains high-risk. Audit what you have installed.
What these extensions claimed to do
The Zoom Stealer extensions weren't obviously malicious. Chrome Audio Capture, the campaign's flagship, was a functional audio recording tool. It captured system audio during screen recordings and video calls. Users left positive reviews. It solved a real problem people actually had.
That functional cover was the whole strategy. According to Koi Security researchers, as reported by BleepingComputer, these extensions were built to be genuinely useful tools — accumulating large install bases, earning trust, and then harvesting data in the background with no indication visible to users.
The 18 extensions collectively targeted 28+ video-conferencing platforms: Zoom, Microsoft Teams, Google Meet, Cisco WebEx, GoToWebinar, ON24, Demio, and more. If any of these were installed when you joined a meeting on those platforms, your meeting data was being collected in real time.
BleepingComputer and cyberinsider.com, citing Koi Security's research, attribute this campaign to a threat actor called DarkSpectre — allegedly the same actor behind two other large-scale extension campaigns (GhostPoster and ShadyPanda), which researchers claim affected a combined 8.8 million users across all three operations. The same attribution was independently re-reported by The Hacker News and SC Media; the underlying findings have not yet been validated by an independent third-party audit or government agency.
Security analysis: what they needed vs. what they did
Meeting enhancement extensions need real permissions to do their jobs. That's what makes this category tricky — a legitimate Zoom audio tool and a surveillance tool can request nearly identical permissions.
Typical permissions in this extension category:
tabs— to detect when you're on a conferencing platformstorage— to save settings between sessionswebRequestordeclarativeNetRequest— to observe network activity- Content script access to conferencing platform domains
- Microphone access via WebRTC APIs for audio capture
None of these would immediately fail a Chrome Web Store review. All are plausible for the stated use case.
What Koi Security researchers documented — per BleepingComputer's reporting — is that the extensions used those permissions to open persistent WebSocket connections to Firebase Realtime Database instances, masked behind domains like zoomcorder.com. In real time, during your meetings, they shipped out:
- Meeting URLs with embedded join passwords
- Meeting IDs, topics, and descriptions
- Scheduled times and registration status
- Speaker names, job titles, bios, and profile photos
- Company affiliations of every attendee
That's not a passive data leak. That's a live corporate intelligence feed running in the background while you're negotiating a deal or discussing your roadmap. You can check any extension's declared permissions before installing it at catalog.extenshi.io — it's a fast first step, even if permissions alone don't capture everything.
Privacy score breakdown
What makes DarkSpectre stand out is the kind of data targeted. Most extension-based malware goes after credentials or browsing history. The Zoom Stealer campaign went after meeting intelligence: who's attending, what their roles are, what companies they work for, and when and where the meeting is happening.
| Factor | DarkSpectre extensions | Typical meeting tool |
|---|---|---|
| Data collected | Meeting intel, attendee directory | Minimal or none |
| Data destination | Third-party Firebase instances | Local or user-controlled |
| Network behavior | Persistent WebSocket exfiltration | On-demand API calls |
| Obfuscation | Yes — disguised domains | No |
| Transparency | None | Privacy policy stated |
The potential uses for that data aren't hard to imagine: targeted phishing using actual meeting context, competitive intelligence, impersonation of meeting organizers, or tracking corporate activity over time. "This isn't consumer fraud — this is corporate espionage infrastructure," Koi Security researchers told BleepingComputer.
Koi Security researchers attribute the campaign to a China-linked threat actor based on several indicators they documented: infrastructure allegedly hosted on Alibaba Cloud, ICP registrations reportedly pointing to Hubei Province, and Chinese-language strings in the extension code. Alibaba Cloud has not publicly responded to these findings, and the attribution has not been independently confirmed by any government agency or court ruling.
The bigger pattern: functional extensions as the perfect cover
The problem runs deeper than just these 18 extensions. Most security advice focuses on "watch for suspicious permissions." But Chrome Audio Capture had permissions that were entirely reasonable for a legitimate audio recording tool.
This is the core difficulty with the extensions threat model: the permissions system tells you what an extension can do, not what it will do. An extension with tabs access can use it to display a tab counter — or it can use it to detect when you're on a Zoom call and start exfiltrating data. Same permission, completely different behavior.
I've covered the zero-permission malware dropper problem before — extensions with almost no declared permissions that can still be weaponized. Zoom Stealer is the other side of that coin: extensions with entirely justified permissions, abused anyway.
The only reliable signal is behavioral: what network connections does an extension actually make at runtime? That level of monitoring isn't realistic for most individuals. Extenshi's catalog at catalog.extenshi.io surfaces permission data and store history for extensions — a useful starting point, though full behavioral analysis requires deeper tooling.
Safer alternatives for meeting recording and enhancement
The good news: you probably don't need a third-party extension for most meeting recording needs.
Built-in platform recording is the safest option. Zoom, Google Meet, Microsoft Teams, and Cisco WebEx all offer native recording. For Zoom, hosts control recording permissions; for Meet, you need a Google Workspace account. Data stays within your existing cloud provider under your existing access policies.
Native AI transcription is now available on paid Zoom (AI Companion) and Teams (Copilot) plans. The transcription runs server-side within your organization's tenant — not in a third-party database sitting behind a domain you've never heard of.
If you genuinely need a third-party tool: Consider desktop apps over browser extensions. Tools like Otter.ai, Fireflies.ai, and Fathom run as standalone applications, not as browser extensions. They still need microphone access, but they don't sit inside your browser with access to every tab and network request. The attack surface is meaningfully smaller.
Before installing any meeting extension — third-party or otherwise — scan it at catalog.extenshi.io to review its permissions and check for any prior security reports.
Final recommendation
The 18 DarkSpectre extensions are gone from extension stores. But the takeaway isn't about those 18 specifically — it's about the category.
Meeting helper extensions sit at an uncomfortable intersection: they require broad permissions, they run during your most sensitive conversations, and a malicious one can quietly build a corporate intelligence database from your daily calls without any visible symptom. The same qualities that make them useful make them dangerous when abused.
My call: remove any meeting-related extension you haven't consciously verified. Use your conferencing platform's built-in recording and transcription. If you can't, choose a standalone desktop application over a browser extension.
If you want to see what meeting-related extensions you currently have installed and what permissions they hold, start at catalog.extenshi.io.
This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Related Articles
Proton VPN extension review: security score, privacy analysis & safer alternatives
Fake Proton VPN extensions hit Chrome Web Store in 2026. Here's how to verify you have the real Proton VPN, what permissions it needs, and safer alternatives.
Ad blocker extensions reviewed: Stands AdBlocker, Poper Blocker & safer alternatives
Some ad blockers that sell your data are among the most installed on Chrome. LayerX flagged 12 — here's the breakdown of the worst and safer 2026 alternatives.
Grammarly vs QuillBot extension review: privacy score, data collection & safer alternatives
Incogni's 2026 study flags Grammarly and QuillBot as high-risk AI extensions. Privacy analysis, permission breakdown, and safer alternatives for 2026.