I remember seeing a Reese’s peanut butter cup example bringing awareness to shrinkflation.

The same candy, same packagingsubtly went from:
0.75 oz (21g) —> 0.55 oz (15g)

Malicious Browser Extension Updates are similar to this shrinkflation tactic.
History shows that browser extensions don’t always stay what they started as.

The Parallels:Same packaging…Same Price…

But you pay the same for less volume, and feel cheated.

Same Extension name…Same capabilities on the surface…- After an update, it seems the same, but you potentially get a malicious extension.

————————————

The Subtlety Often Missed

When a browser extension is updated it usually does so automatically “silently” on your machine. Just like Reeses subtle silent size-shrink. (Try to Say that 10 times)
Potentially malicious updates could subtlety slip into company infrastructure without a review.

Silent subtle changes are risky and can undermine trust for well established extensions, Are you monitoring these changes?

————————————

Case Studies

The Great Suspender (2021)

What users thought they had:A simple performance tool to suspend unused tabs.
What changed after updates:

    • Ownership of the app changed
    • New code was introduced allowing RCE exploitation.
    • Eventually it was flagged by Google as malware and removed from the Chrome Web Store.

Why does this matter?
Same name…Same icon…Very different behavior over time from the extension.

Nano Adblocker / Nano Defender (2020)

The original developer (Hugo Xu) sold it because he no longer had time to maintain it.
What changed after updates:

    • The original maintainer handed it over to new owners.
    • Updates introduced malicious code.
    • Credential harvesting and data exfiltration followed.
      • The Lesson: Updates can charge trusted software into a threat actors dream overnight.

————————————

What Can Organizations Do?

  • Monitor when an approved extension updates.
  • Perform weekly, monthly or quarterly checks at a minimum.
  • Deploy least privilege principles to what a browser Extension requests access to. Ask your self does this extension need access to all of these permissions to funcion properly?
  • Use tools that help statically(SAST) or dynamically(DAST) analyze risks associated with browser extensions. There are the tools designed for this functionality.

Browser extensions are helpful, Increase efficiency but must be risk assessed, monitored for changes and tested regularly. Most developers are trustworthy, and Google actively strives to remove malicious extensions. Remember the danger, unmonitored, non-risk assessed and blindly-trusted browser extension updates generate unnecessary risks.