Based on reporting by The Hacker News →
Introduction
Microsoft just removed 119 malicious Edge extensions that hid their payloads in steganographic image and font files, then activated days later to steal credentials and run ad fraud. This is not a typical browser add-on sweep; it is a wake-up call that attackers are now weaponizing the very files browsers treat as benign.
The problem
According to a report from The Hacker News, Microsoft has terminated a long-running malicious operation on its Edge Add-ons store, which the company calls StegoAd—a portmanteau of steganography and adware. The 119 extensions were tied to a single threat actor active since at least 2021. These extensions concealed malicious code inside ordinary image and font files using steganographic techniques, bypassing standard security scans. After installation by users, the extensions remained dormant for days before waking to harvest credentials and siphon traffic for ad fraud. The Hacker News attributes this information to Microsoft’s own disclosure.
Consequences
The immediate risk is credential theft and ad fraud, but the deeper consequence is trust erosion in the browser extension ecosystem. If a user or enterprise installs what appears to be a legitimate, functional extension—only to have it turn malicious days later—the damage to productivity, sensitive data, and brand reputation is severe. For organizations, a single compromised extension can expose internal credentials, session tokens, and corporate account access. The financial loss from ad fraud alone can run into thousands of dollars per campaign.