Back to articles

Zero-permission malware droppers: how to check if any of your extensions can be weaponized

LayerX Labs showed any browser extension — even ones with no permissions — can silently modify your downloads to deliver malware. Here's how to stay safe.

Maxim Kosterin
8 min read

There's a moment that happens when you install a browser extension. Chrome shows you a list of permissions. Maybe it's "Read and change data on websites you visit." Maybe it's nothing at all. You squint, decide it looks clean, and click Add.

That permission check is the main security signal most people use to decide if an extension is safe. And according to research published on March 3, 2026 by LayerX Labs, it's not enough — not for this class of attack.

The finding that reframes extension risk

LayerX Labs demonstrated that any browser extension — including ones with no declared permissions — can be silently modified to intercept and backdoor executable file downloads. The attack uses content scripts, which can modify the content of web pages without requiring any additional special permissions beyond what most extensions already have.

Here's the mechanism: when you download an executable file from a website, a compromised extension running as a content script can intercept that download and append attacker-controlled payload code to the binary. The original application still installs and runs correctly. The malicious payload rides along invisibly, and can establish persistence, exfiltrate data, enable remote access, or do anything else the attacker embedded.

LayerX Labs researcher Iyar Segev described the scope of the problem clearly: "Any extension, including previously legitimate ones, could introduce this behavior in an update, and users would have no reliable signal that anything had changed."

That last part is what makes this research significant. It's not just about spotting a rogue extension before you install it. The attack is fully viable as an update — an extension that was completely clean on the day you installed it can become a malware dropper in any subsequent silent update.

Why your permission review doesn't help here

The conventional advice around extension security goes: read the permissions before installing, be skeptical of anything asking for broad access, and remove extensions you don't use. That advice is still worth following. But it doesn't address the vulnerability LayerX described.

Content scripts are a standard part of how browser extensions work. They run in the context of web pages — that's how extensions can modify what you see on screen, highlight text, inject UI elements, or redirect links. The manifest declares which sites the content script runs on, but there's no dedicated permission flag that signals "this extension intercepts downloads." The attack blends into completely normal extension behavior.

The update angle compounds the problem. Chrome and Firefox update extensions silently in the background by default. You don't see a permission review for extension updates the same way you do for initial installs. An extension's permissions can even change with an update without triggering a re-review prompt, depending on how the change is scoped.

Both Google and Mozilla were notified of the findings. Google's response, according to LayerX Labs' analysis, was that "social engineering attacks are out of scope for the Chrome threat model." Mozilla noted that extensions granted website access can modify content including download link destinations. Neither company has announced changes to the permission model in response to this research, as of March 9, 2026.

Reporting their positions here, not editorializing about them — building a complete threat model for the extension ecosystem is a genuinely hard problem. But for users and enterprise IT teams making day-to-day decisions, the practical takeaway is straightforward: the browser's install-time warning system won't catch this.

Why the attack is particularly hard to detect

Most defenses in a browser security context are watching network traffic. Your VPN, proxy, or firewall monitors what goes where across the network. The LayerX attack bypasses these defenses completely.

The download happens through a legitimate domain — maybe a software vendor's CDN, maybe GitHub releases, maybe your company's internal file server. The extension modifies the file locally, after it arrives. There's no suspicious outbound connection carrying the malicious payload. The only artifact is a modified binary sitting in your downloads folder, and that only looks unusual if you're already checking.

Endpoint detection tools have a better shot at catching this — if they're watching for unexpected binary modifications or anomalous process behavior when the modified executable runs. But most individual users aren't running behavioral endpoint security, and many smaller organizations aren't either.

Who this matters most for

Individual users who install a lot of extensions are the obvious target group. If you've got 20+ extensions and couldn't confidently describe what each one does, you've got attack surface you're not monitoring. You can see the full list of what's installed in your browser's extensions manager — Chrome is chrome://extensions, Firefox is about:addons.

Enterprise environments face a different version of the problem. Software downloads are routine in any managed environment: patch installers, internal tools, vendor-provided utilities. In that context, a compromised extension that backdoors executables is a stealthy initial access vector that's invisible to perimeter defenses and bypasses download reputation systems. The Keep Aware 2026 State of Browser Security Report found that 13% of enterprise browser extensions carry high or critical risk — and that's based only on declared permissions. Behavioral attack surface likely exceeds that.

If your organization doesn't currently enforce an extension allowlist, this research is a reasonable prompt to revisit that decision.

How to reduce your risk

No single action fully eliminates this threat class. What you can do is shrink your attack surface, add monitoring, and build habits that catch problems before they become incidents.

Audit and cut your extension count. Every extension you have installed is a potential vector, especially as they update over time. Go through your list and remove anything you haven't actively used in the past few weeks. Be ruthless. A productivity extension you installed two years ago and haven't touched since is a liability, not an asset. You can view what's installed across your browsers at catalog.extenshi.io for a cleaner overview.

Watch for ownership changes. An extension that recently changed hands is one to treat with fresh skepticism. This isn't hypothetical — the QuickLens hijack earlier in 2026 followed exactly this pattern: a legitimate extension changed ownership, the new owner pushed a malicious update, and users had no signal anything was wrong. Extenshi tracks signals like these in its catalog.

Treat extension updates with the same skepticism as initial installs. For extensions that have broad page access — especially ones you depend on in sensitive workflows — consider periodically checking the extension's changelog or web store listing for changes. Chrome extensions typically show a "Last updated" date in their store listing. A recently-updated extension with no obvious reason to update is worth a second look.

For personal machines: minimize extensions with broad page access. An extension that runs on every page you visit has the widest possible surface for this attack. If you need a productivity tool, check whether a version with narrower site permissions is available. The Chrome Web Store listing shows the permissions an extension requests — compare with what a narrow-access alternative would need.

For enterprise IT: enforce an extension allowlist. Chrome for Enterprise and Microsoft Edge for Business both support allowlist policies that prevent employees from installing extensions outside an approved set. Extensions on the allowlist are ones you've reviewed. Extensions outside it don't install. It's the highest-confidence control available against this class of attack, and it has the useful side effect of reducing general extension sprawl.

For enterprise IT: deploy behavioral monitoring. Tools like LayerX's enterprise browser agent, CrowdStrike's extension monitoring module, and similar platforms can flag when an extension's behavior changes after an update — which is the trigger point for this attack. Static permission scanning alone won't catch it, but behavioral analysis has a shot.

What Extenshi can show you

Extenshi scans extensions in its catalog for declared permissions, data collection behaviors, and signals like recent update activity and ownership changes. For individual users, it's a practical way to get a clearer picture of what your extension portfolio is actually doing — the Chrome and Firefox extension manager pages don't surface much of this.

A scan won't detect an in-progress download-modification attack, to be direct about that. What it does is surface the extensions most likely to be risky based on declared capabilities, recent update patterns, and catalog data. That gives you a prioritized list of what to audit or remove before something goes wrong.

Run a scan on your installed extensions at catalog.extenshi.io. Extensions that declare broad content script access across all URLs will appear with elevated risk indicators — and that's exactly the capability class that makes this attack possible.

Scan your extensions →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles