Most extensions are fine. The dangerous ones share a handful of tells. Here's how to spot them in under two minutes, before you click "Add to Chrome".
"Just install it from the official store" stopped being good advice. In February 2026, researchers found 30 extensions stealing credentials from more than 260,000 users. A separate report identified 287 extensions quietly shipping users' browsing history to data brokers, together holding 37.4 million installs, roughly 1% of all Chrome users. Several of these had sat in the Chrome Web Store for years, rated and reviewed, looking normal.
The store does screen submissions, but screening isn't perfect and an extension can turn malicious after it's approved, through an automatic update or a change of ownership. So the job falls to you for two minutes per install. The seven flags below are what to look at.
This is the single most useful test. A note-taking clipper that wants to "read and change data on all websites" plus your bookmarks and history is asking for far more than its job needs. Ask: what does this tool actually do, and does the access it requests line up? A weather extension needs your location, not your passwords.
Trustworthy extensions are published by a company with a real website and a verified badge. Warning signs: no developer website, a publisher name that's a Gmail address, or a support link that goes nowhere. If you can't find out who made it, you can't hold anyone accountable for what it does.
A genuinely useful tool accumulates installs and a spread of detailed reviews over time. Be wary of a few hundred installs paired with a wall of five-star, one-line reviews posted in the same week. Fake reviews are cheap; a years-long track record isn't.
A favourite trick in 2026 is buying a small, trusted extension and pushing a malicious update to its existing users, who auto-update without noticing. In March 2026 a popular extension turned malicious this way after its ownership transferred. If an extension suddenly asks for new permissions after an update, stop and re-read what it now wants.
"Site access: On all sites" is normal for a grammar checker or ad blocker that genuinely works everywhere. It's a red flag for a tool that only operates on one site, a coupon finder for a single store, say, that still wants every site you visit. Prefer extensions that let you restrict access to specific sites or "on click".
Many malicious extensions disguise themselves as things Chrome already does, a "dark mode", a "PDF viewer", a "fast VPN". The redundant feature is bait; the permissions are the point. Before installing a utility, check whether Chrome, or a single well-known extension, already covers it.
Almost every malware extension is distributed outside the Chrome Web Store, through a downloaded .crx, a "you must install this to continue" prompt, or a bundle with other software. If installing something requires turning on Developer mode or dragging a file into Chrome, don't.
Generic safety guides tell you "watch the permissions". The more useful skill is reading combinations, because a single permission is rarely the whole story. It's the pairing that turns access into an attack.
| Permission pairing | What it enables |
|---|---|
| Read/change all sites + cookies | Session hijacking, stealing the login token that lets an attacker into your accounts without ever needing the password |
| Read/change all sites + browsing history | Building a complete profile of where you go and reselling it, the model behind those 287 history-exfiltrating extensions |
| Read/change all sites + native messaging | Passing your data to a program running outside the browser, beyond Chrome's sandbox |
| Scripting + webRequest on all sites | Silently injecting or rewriting page content, including fake login forms and ad swaps |
None of these permissions is malicious on its own, your password manager legitimately reads pages, and Grammarly legitimately edits them. The question is whether this particular tool, from this particular publisher, has earned that combination. For a deeper walkthrough of reading the permission screen, see our guide on checking extension permissions.
On the Chrome Web Store listing, scroll past the description to the permissions list. If it asks for more than its function needs (flags 1 and 5 above), stop here.
Look for a verified badge, a real developer website, the install count, and how long it's been in the store. A blank publisher profile is a no.
Open chrome://settings/safetyCheck and run it. Chrome flags extensions it has since removed from the store for policy or security reasons. Turning on Enhanced Safe Browsing adds real-time warnings.
Go to chrome://extensions, click Details on each one, and re-read its Site access. Remove anything you don't recognise or no longer use, every extension is attack surface.
For extensions that matter, cross-check with a third-party risk tool such as Spin.AI's risk assessment or TrustScan. (CRXcavator, the old community favourite, has been retired, so don't rely on it.) Or use our safety checker for a quick read.
If an extension trips these flags after you've installed it, act in order:
chrome://extensions and click Remove. Don't just disable it.The same logic carries across browsers, the differences are in the storefront. Edge, Brave, Opera and Vivaldi are Chromium-based and install the same Chrome extensions, so the seven flags apply unchanged; they also accept extensions from the Microsoft and their own stores, which get less scrutiny. Firefox uses its own add-on format and a separate review process, but the permission-versus-function test is identical. Safari extensions are distributed through the Mac App Store and are more tightly reviewed, which lowers (without eliminating) the risk. Whatever the browser, judge the extension, not the badge.