Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability
Security researchers discovered that the 'Adblock for YouTube' Chrome extension, with over 10 million users, contains a dormant JavaScript injection capability that could be remotely activated to steal data.
A popular Chrome extension designed to block YouTube ads has been found to harbor a dormant but dangerous capability: the ability to execute arbitrary JavaScript code on any website a user visits. Security firm Island disclosed on June 25, 2026, that the extension, named 'Adblock for YouTube' (ID: cmedhionkhpnakcndndgjdbohmhepckk), has over 10 million installs and carries a Featured badge on the Chrome Web Store. While the extension delivers its promised ad-blocking functionality, it also contains architectural components that allow remote-controlled script injection, posing a significant supply-chain risk if the extension were ever compromised.
According to researchers Oleg Zaytsev and Shachar Gritzman, the extension has possessed remote-controlled script injection paths since February 2025. These paths enable the creation of arbitrary <script> elements using a custom scriptlet rule called 'trusted-create-element,' defined by the extension author. This rule can access sensitive data from any webpage. Crucially, at the time of analysis, this capability was not active in the server response, meaning it is dormant but not absent. 'Activating it requires a single server-side change, no extension update, no store review,' the researchers explained.
The risk is compounded by the extension's extensive permissions. Despite its name suggesting YouTube-specific functionality, the extension runs on every website a user visits. It adds a check that activates only when the current URL contains 'youtube.com,' but this check is trivially bypassed. The verification only looks for the string 'youtube.com' anywhere in the URL, not validating the hostname, frame origin, or embedded player context. This means an attacker could craft URLs like 'www.facebook.com/page?ref=youtube.com' or 'bank.example.com/search?q=youtube.com' to trigger the extension's code on any site.
Island emphasized that there is no evidence malicious payloads have been distributed to users through this mechanism. However, the mere presence of the capability, combined with the extension's history and ties to other malicious extensions, raises serious privacy and security concerns. The extension has been on the Chrome Web Store since 2014 and changed ownership in 2018. Early versions shipped with an ad-injection SDK called Unistream SDK, which was removed in June 2024. Additionally, several related extensions—'Adblock for Chrome,' 'Adblock for You,' and 'AdBlock Suite'—have been removed from the store for malware.
'The concern is not a single suspicious line of code,' Island stated. 'It is the combination: a high-install extension with all-site access, a remote-controlled injection path, prior ad-injection infrastructure, a major ownership and codebase change, and related extensions that were removed from the Chrome Web Store for malware.' The researchers warned that if the extension were compromised, an attacker could read pages, steal data, and act as the user inside personal accounts, work apps, admin panels, and other sensitive browser sessions.
The disclosure comes alongside a separate report from Palo Alto Networks Unit 42, which detected 18 browser extensions impersonating consumer brands to monetize through affiliate marketing. These extensions open a .shop domain in a new tab upon installation, redirecting users to pages that ask them to install a gaming-oriented browser. This highlights a broader trend of malicious and potentially dangerous browser extensions targeting users through official storefronts.
The Hacker News has contacted the developer of 'Adblock for YouTube' for comment. The findings underscore the importance of vetting browser extensions, even those with high install counts and official badges, as dormant capabilities can pose a latent threat to millions of users.