A significant supply chain threat has emerged targeting the browser ecosystem. Security researchers at Island have analyzed a popular Google Chrome extension, “Adblock for YouTube,” revealing a dormant capability to execute arbitrary JavaScript code. With over 10 million installations and a “Featured” badge on the Chrome Web Store, this extension represents a high-impact risk for organizations relying on web filtering for productivity and security.
While the extension ostensibly functions as an ad blocker, the presence of arbitrary script injection capabilities transforms it into a potential Remote Access Trojan (RAT) or credential stealer. The dormant nature of this functionality suggests a “sleeper” mechanism, likely waiting for a remote command or specific trigger to activate malicious payloads. For defenders, this underscores the reality that the browser extension supply chain is a prime attack vector, often bypassing traditional network perimeter defenses.
Technical Analysis
Affected Product:
- Name: Adblock for YouTube
- Extension ID:
cmedhionkhpnakcndndgjdbohmhepckk - Platform: Google Chrome (and likely other Chromium-based browsers)
Vulnerability/Threat: The extension possesses the technical capability to inject arbitrary JavaScript into the browsing context. This is not a bug in the browser engine, but a malicious feature embedded within the extension’s code.
Attack Mechanism: Browser extensions operate with extensive privileges within the browser’s security context. This specific extension includes logic that allows it to fetch and execute remote JavaScript or inject code directly into the Document Object Model (DOM) of visited sites.
From a defensive perspective, the attack chain is as follows:
- Installation: User installs the extension, granting it implicit permissions to read and modify data on websites (specifically YouTube, but often broad permissions are requested).
- Activation: The malicious component remains dormant until activated via a remote update, C2 heartbeat, or specific date/time trigger.
- Injection: Upon activation, the extension injects arbitrary JS into the active tab.
- Payload Execution: The injected script can perform actions within the security context of the currently logged-in user (e.g., exfiltrating session cookies, capturing credentials, modifying transactions, or redirecting to phishing sites).
Exploitation Status: The capability has been confirmed by researchers. While widespread active exploitation has not been publicly confirmed at this specific moment, the infrastructure for mass compromise is already in place on 10 million+ endpoints. This represents a "ticking time bomb" scenario.
Detection & Response
Detecting malicious browser extensions is challenging because they run inside the chrome.exe process space. However, we can detect the presence of the extension artifact on the filesystem and monitor for the installation of known malicious IDs.
SIGMA Rules
---
title: Potentially Malicious Chrome Extension Installation - Adblock for YouTube
id: 8f2c4e1d-9a3b-4c7d-8e5f-6a1b2c3d4e5f
status: experimental
description: Detects the file creation of the known malicious 'Adblock for YouTube' extension (ID cmedhionkhpnakcndndgjdbohmhepckk) on Windows endpoints.
references:
- https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html
author: Security Arsenal
date: 2026/06/02
tags:
- attack.persistence
- attack.t1173
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\Google\Chrome\User Data\'
TargetFilename|contains: '\cmedhionkhpnakcndndgjdbohmhepckk\'
condition: selection
falsepositives:
- None (Legitimate users should not install this specific extension ID given the current advisory)
level: critical
---
title: Suspicious Chrome Extension Directory Access
id: 9g3d5f2e-0b4c-5d8e-9f0a-7b2c3d4e5f6g
status: experimental
description: Detects processes (like Chrome or installers) interacting with the directory structure of the malicious extension ID.
references:
- https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html
author: Security Arsenal
date: 2026/06/02
tags:
- attack.persistence
- attack.t1173
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains: '\cmedhionkhpnakcndndgjdbohmhepckk\'
condition: selection
falsepositives:
- Low
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for traces of the malicious extension ID on endpoints
DeviceFileEvents
| where FolderPath endswith @"\cmedhionkhpnakcndndgjdbohmhepckk\"
or FolderPath contains @"\Google\Chrome\User Data\Default\Extensions\cmedhionkhpnakcndndgjdbohmhepckk"
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName, TargetFileName, SHA256
| summarize arg_max(Timestamp, *) by DeviceName
Velociraptor VQL
-- Hunt for the presence of the malicious extension directory
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="*/Extensions/cmedhionkhpnakcndndgjdbohmhepckk/*")
WHERE FullPath =~ 'Chrome' OR FullPath =~ 'chromium'
Remediation Script (PowerShell)
# Remediation Script: Remove Adblock for YouTube Extension
# Run as Administrator to remediate all user profiles
$MaliciousID = "cmedhionkhpnakcndndgjdbohmhepckk"
$BasePath = "C:\Users"
Write-Host "Starting scan for extension ID: $MaliciousID" -ForegroundColor Cyan
# Get all user profiles
$UserProfiles = Get-ChildItem -Path $BasePath -Directory -ErrorAction SilentlyContinue
foreach ($Profile in $UserProfiles) {
# Construct path to Chrome Extensions
$ChromeExtPath = Join-Path -Path $Profile.FullName -ChildPath "AppData\Local\Google\Chrome\User Data\Default\Extensions\$MaliciousID"
if (Test-Path -Path $ChromeExtPath) {
Write-Host "[!] MALICIOUS EXTENSION FOUND at: $ChromeExtPath" -ForegroundColor Red
try {
# Attempt to remove the directory
Remove-Item -Path $ChromeExtPath -Recurse -Force -ErrorAction Stop
Write-Host "[+] Successfully removed extension for user: $($Profile.Name)" -ForegroundColor Green
}
catch {
Write-Host "[-] Failed to remove extension. Chrome may be running or permissions issue." -ForegroundColor Yellow
Write-Host " Please close Google Chrome and re-run." -ForegroundColor Yellow
}
}
}
Write-Host "Scan complete." -ForegroundColor Cyan
Remediation
-
Immediate Removal: Organizations must instruct users to immediately remove the extension "Adblock for YouTube" from their browsers.
- Navigate to
chrome://extensions/ - Locate "Adblock for YouTube"
- Click "Remove".
- Navigate to
-
Verify Deletion: Use the provided PowerShell script to scan the filesystem to ensure the artifact (
cmedhionkhpnakcndndgjdbohmhepckk) is fully deleted from user profiles. The registry or browser preference files may still reference the ID, but the code removal is the priority. -
Policy Enforcement: Update browser management policies (e.g., Google Admin Console) to block the installation of this specific Extension ID (
cmedhionkhpnakcndndgjdbohmhepckk) and review the permissions of all currently installed extensions. -
User Awareness: Notify users that legitimate-looking extensions, even those with high install counts and "Featured" badges, can pose significant security risks. Encourage the principle of least privilege—only install extensions absolutely necessary for business operations.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.