Based on reporting by The Hacker News →
Introduction
A popular Chrome extension with more than ten million installs contained the technical plumbing to inject arbitrary JavaScript into any page, silently and on demand. The capability was dormant—but its mere presence turned a trusted browser helper into a ticking supply-chain vector.
The problem
Security researchers at Island analyzed the Chrome extension “Adblock for YouTube” (extension ID cmedhionkhpnakcndndgjdbohmhepckk) and discovered it possessed the ability to execute arbitrary JavaScript code, according to a report by The Hacker News. The extension, which carries a Featured badge on the Chrome Web Store, had been downloaded over ten million times and was ostensibly designed to block advertisements on YouTube. The hidden code injection capability was found to be present but not actively exploited at the time of analysis. The Hacker News covered the finding based on Island’s technical disclosure.
Consequences
Had the dormant injection been weaponized—either through a malicious update, a compromised developer account, or a secondary command channel—every one of those ten million installs could have been turned into a personal surveillance node or a foothold for credential theft. An extension that users explicitly trust to modify page content can also modify form fields, inject fake login overlays, exfiltrate session tokens, or redirect legitimate traffic to phishing sites. The real-world impact is not hypothetical: browser extensions are the ultimate man-in-the-browser, and a dormant script loader is simply a loaded weapon waiting for a trigger.