HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

119 Malicious Edge Extensions Delivered Credential‑Stealing Malware to 2.6 Million Users

Microsoft removed 119 malicious Edge extensions after they were found to have infected 2.6 M users with credential‑stealing malware. The incident highlights the need for robust vendor‑risk controls and continuous audit evidence for third‑party software.

LiveThreat™ Intelligence · 📅 June 30, 2026· 📰 malwarebytes.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
malwarebytes.com

119 Edge Extensions Delivered Malware to 2.6 Million Users

What Happened — Microsoft removed 119 browser extensions from the Edge add‑on store after uncovering the “StegoAd” campaign. The extensions, advertised as ad blockers, VPNs, translators, etc., were installed by roughly 2.6 M users before turning into “sleepers” that silently downloaded additional malware, stole Google credentials and second‑factor codes, harvested WordPress admin logins, and exfiltrated cookies for session hijacking.

Why It Matters for Compliance & Audit Readiness

  • Third‑party software (browser extensions) is a classic vendor‑risk scenario that SOC 2 vendor‑management controls are designed to mitigate.
  • Continuous monitoring of third‑party assets provides audit‑ready evidence that only approved, vetted extensions are in use, satisfying CC5.2 (System Operations) and CC6.1 (Risk Management).
  • A breach caused by a malicious extension can trigger data‑exposure findings under SOC 2’s Confidentiality principle, jeopardizing your attestation if not documented.

Who Is Affected — Enterprises across technology, finance, healthcare, and any organization that permits Chromium‑based browsers on employee devices.

Recommended Actions

  • Inventory all browser extensions across the organization and map them to your vendor‑risk register.
  • Enforce a policy that only approved extensions may be installed; integrate real‑time extension reputation feeds into your endpoint security solution.
  • Capture continuous evidence of extension compliance for SOC 2 audits (e.g., screenshots, logs, vendor attestations). Source: https://www.malwarebytes.com/blog/news/2026/06/119-edge-extensions-promised-useful-tools-instead-downloaded-malware

Technical Notes — The campaign used steganography to hide malicious code in images, then delivered payloads via JavaScript updates. No browser vulnerability was exploited; the attack relied on user consent and trusted‑looking updates. Source: https://www.malwarebytes.com/blog/news/2026/06/119-edge-extensions-promised-useful-tools-instead-downloaded-malware

📰 Original Source
https://www.malwarebytes.com/blog/news/2026/06/119-edge-extensions-promised-useful-tools-instead-downloaded-malware

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →