Audit Your Browser Extensions in 2026: A 15-Minute Security Cleanup

Browser extensions are one of the most overlooked attack surfaces on your computer. An extension with "read and change all your data on all sites" can see your email, your banking session, your passwords as you type them, and every page you visit. Most people grant that access once and forget about it, and that is exactly the risk.

In January 2026, researchers found 30 Chrome extensions stealing credentials from more than 260,000 users, and a growing share of attacks involve trusted extensions that turn malicious months after install via a supply-chain compromise. A 15-minute audit closes most of that exposure.

Key takeaways

• An extension with access to "all sites" can read and modify everything you do online, including credentials and banking sessions.
• Trusted extensions are increasingly compromised after the fact, through ownership changes or supply-chain attacks, so an extension being safe last year does not mean it is safe now.
• The highest-risk items are extensions you installed to try once and forgot; delete anything you do not use regularly.
• Restrict essential extensions to "on click" site access instead of "on all sites" wherever possible.
• Re-audit quarterly and be suspicious whenever an installed extension suddenly requests new permissions.

Why extensions are so dangerous

The permission model is the problem. To do useful work, many extensions request broad access, and "read and change all your data on the websites you visit" is the default for a huge number of them. That single grant means the extension can inject scripts into every page, scrape form fields (including passwords), read cookies and session tokens, and watch your entire browsing history. There is no sandbox between a malicious extension and your logged-in banking tab.

Worse, the threat is not static. Attackers buy popular extensions from burned-out developers, then push a malicious update to the existing user base. Supply-chain compromises let a legitimate extension turn hostile after months or years of normal behavior, the same pattern that hit developer tooling in the Nx Console VS Code extension breach.

Not every extension carries the same risk. Use this to triage what you find, keeping the low-risk tools and aggressively cutting the rest:

Extension type	Typical access requested	Risk level	What to do
Password manager	All sites (needed to autofill)	Acceptable	Keep, but use a reputable vendor only
Ad / content blocker	All sites	Moderate	Keep one well-known blocker, remove duplicates
Coupon / shopping finder	All sites + your purchases	High	Remove; common vector for data harvesting
Screenshot / PDF tool	On click	Low	Set to "On click," keep if used
"Tried once" novelty	Whatever it asked for	High	Delete immediately, pure attack surface

The 15-minute audit

1. Inventory everything. Open chrome://extensions/ (or your browser's equivalent) and turn on Developer mode to see extension IDs and details. List every extension you have.
2. Delete what you don't use. Anything you installed to try once and forgot is pure risk with no benefit. Remove every extension you do not use regularly, this single step eliminates most of your exposure.
3. Scrutinize permissions. For each remaining extension, check its site access. The most dangerous setting is "On all sites." Ask whether the extension truly needs to see every page, or whether its job is limited to specific ones.
4. Tighten site access. Right-click essential extensions and change Site access from "On all sites" to "On click" (activate only when you tap it) or to a specific list of sites. A password manager may legitimately need broad access; a coupon finder does not.
5. Run built-in safety checks. Chrome's Safety Check (chrome://settings/safetyCheck) scans for known-compromised extensions. Act on what it flags.

What to check before installing anything new

Prevention beats cleanup. Before you add an extension:

• Match permissions to purpose. A tool that does one narrow job should not need access to all sites. Broad requests without a clear reason are a red flag.
• Check the publisher and reviews. Look for a known developer, a real support presence, and recent reviews, and be alert to recent ownership changes.
• Prefer fewer, well-maintained extensions. Every extension is attack surface. The smallest set that does what you need is the safest set.
• Watch update behavior. Extensions auto-update by default, which is good for security patches but also how malicious builds arrive. There is no perfect answer, but a smaller, vetted set limits the damage.

For teams

If you manage browsers for an organization, do not rely on individual diligence:

• Maintain an allowlist of approved extensions and block installation of the rest.
• Use vulnerability tooling. Tools like Microsoft Defender Vulnerability Management and assessment utilities such as CRXcavator surface risky extensions across a fleet.
• Audit the allowlist quarterly for ownership changes, permission-scope changes, and new security advisories, an approved extension can go bad after approval.

This pairs naturally with the account-side hardening in our guide to auditing and revoking third-party app access, which applies the same "review what has access" discipline to your connected accounts.

What to do tonight

Block off 15 minutes and run this in order:

• Open chrome://extensions/, enable Developer mode, and list every extension you have.
• Delete every extension you have not used in the last month.
• For each survivor, open Details and change Site access from "On all sites" to "On click" wherever the tool still works that way.
• Run chrome://settings/safetyCheck and act on anything it flags.
• Add a recurring quarterly calendar reminder titled "extension audit" so this never lapses again.

While you are hardening accounts, the same review discipline applies to logins. If you have not already, run a check on whether your data has been breached and tighten any reused passwords.

Frequently asked questions

How do I see what an extension can actually access?

In chrome://extensions/, click Details on any extension and look at its permissions and Site access setting. "On all sites" means it can read and change every page you visit; "On click" limits it to when you activate it.

Is it safe to keep extensions I rarely use?

No, rarely-used extensions are the highest-risk items in your browser, because they still have their permissions and can be compromised via an update while you are not paying attention. Delete anything you do not use regularly.

Why would a safe extension become dangerous later?

Attackers buy popular extensions or compromise the developer's account, then push a malicious update to the existing install base. Supply-chain compromise means a tool that behaved for years can turn hostile overnight, which is why ongoing audits matter.

How often should I audit?

Quarterly is a good cadence for individuals, and essential for teams. Also re-check immediately whenever an extension requests new permissions, since that is a common signal of a malicious update.

The bottom line

Browser extensions can see everything you do online, and the trusted ones are increasingly the ones that turn against you. Spend 15 minutes: inventory what you have, delete what you do not use, tighten every "all sites" grant to "on click," and run your browser's safety check. Then put it on the calendar to do again next quarter.