A community-maintained database of malicious Chrome and Edge browser extension indicators of compromise (IOCs).
Repository: chrome-mal-ids
⚠ Schema updated May 2026 — Six new TPCI-V verification fields added (
TPCI-VERIFY,TPCI-VERIFY-DATE,TPCI-STORE-NAME,TPCI-STORE-DEV,TPCI-STORE-DATE,TPCI-IDENTITY) plus four earlier additions (ADD-SOURCES,CONTRIB-METHOD,CONTRIB-TYPE,CONTRIB-HANDLE). Scripts using positional column indexing will need updating. Scripts using named headers (csv.DictReaderor equivalent) require no changes. See SCHEMA.md for full details and migration guidance.
⚠ Delta import verification status — A meaningful share of entries sourced from third-party sources (
CONTRIB-METHOD=Delta_Importorcsv_import) have undergone Stage 5A static behavioral analysis and shown confirmed malicious or elevated-risk patterns at a high rate. Third-party sources include a one-time bulk delta import plus ongoing ingestion from toborrm9/malicious_extension_sentry and PDF report intake. For current entry counts and the exact confirmation rate, see the By Contribution Method table in STATS.md — those numbers move as ingestion continues, so they're tracked there rather than restated here. See Data Quality and CHANGELOG.md.
Started in 2021 as a personal research project after noticing no single authoritative list of malicious Chrome extension IDs existed. The database tracks thousands of documented malicious extension IOCs across dozens of campaigns — from credential stealers and browser hijackers to supply chain compromises and ad fraud rings. Current totals change as ingestion continues — see STATS.md for the live count, campaign breakdown, and contribution-method breakdown, auto-generated on every update rather than restated here.
The database is maintained by The Privacy Commons Institute (TPCI) and is an active research platform. TPCI conducts original research on browser extension threats including persistence measurement, removal rate analysis, IOC feed quality assessment, and behavioral verification. Entries are updated as research progresses. All changes are documented in CHANGELOG.md.
All entries sourced from original research are human-reviewed before publication. Distribution outputs (STIX, MISP, Sigma, blocklist) contain only TPCI-verified entries.
| File | Description |
|---|---|
data/current-list-meta.csv |
Full dataset with metadata |
data/current-list.csv |
ID-only list for lightweight consumption |
data/current-list.txt |
Plain text blocklist, one ID per line |
data/current-list.json |
JSON array with full metadata |
data/current-list-sigma.yml |
Sigma detection rule for SIEMs |
formats/chrome-mal-ids-stix.json |
STIX 2.1 bundle for threat intel platforms |
formats/misp-export.json |
MISP event JSON for manual import |
formats/misp-feed/ |
MISP feed directory for automatic polling |
STATS.md |
Auto-generated statistics summary — current totals, campaign breakdown, contribution methods, and monitored sources live here |
SCHEMA.md |
Full schema documentation |
Each entry in current-list-meta.csv contains:
| Field | Description |
|---|---|
EXTID |
32-character Chrome/Edge extension ID |
EXTID-NAME |
Extension display name |
DATE-DIS |
Date the malicious behavior was first reported |
THREAT-TYPE |
Type of threat (spyware, data-theft, browser-hijack, etc.) |
BROWSER |
chrome or edge |
STILL-ACTIVE |
1 if still live in the browser store at time of reporting |
OWNERSHIP-TRANSFER |
1 if a legitimate extension was acquired and turned malicious |
SOURCE |
Primary research source |
ARTICLE |
News/blog article covering the campaign |
NOTES |
Plain-English summary of the malicious behavior |
Full schema: SCHEMA.md
Entries in this database fall into two categories with different confidence levels. Exact current counts for both categories, plus a full breakdown by contribution method (delta import, PDF report intake, AI enrichment, manual entry, etc.), are in STATS.md's "By Contribution Method" table rather than restated here as static numbers.
Independently verified entries (CONTRIB-METHOD ≠ Delta_Import, ≠ csv_import)
Sourced from published security research, individually reviewed by a human before
commit, with source citations and campaign attribution. These are confirmed malicious
extensions backed by original research.
Third-party source entries (CONTRIB-METHOD=Delta_Import, csv_import, PDF_Import, etc.)
These entries have not necessarily been individually human-reviewed on ingest but have
undergone Stage 5A static behavioral analysis. Check the TPCI-VERIFY and TPCI-IDENTITY
fields for current verification status. Entries with TPCI-VERIFY=Stage 5A are behaviorally
confirmed; entries marked TPCI-VERIFY=stub are pending individual analysis.
Filtering by confidence level:
# High confidence — independently verified entries only
grep -v "Delta_Import\|csv_import" data/current-list-meta.csv
# Check verification status
awk -F',' '$19 != "" '} data/current-list-meta.csv # TPCI verified entries
# Unverified delta imports
grep "Delta_Import" data/current-list-meta.csv | grep -v "Store_Enrichment"Additional quality notes:
- UNKNOWN stubs — entries with confirmed malicious IDs but incomplete metadata.
Committed immediately (an ID is better than nothing) and enriched over time.
Find them with:
grep ",UNKNOWN," data/current-list-meta.csv - Still-active flag — reflects status at time of reporting, not necessarily today.
Use
TPCI-VERIFYandTPCI-VERIFY-DATEfor current verified status. - Supply chain victims — some entries marked
TPCI-IDENTITY=remediatedwere legitimate extensions compromised by supply chain attacks. The developers have patched the malicious code. These IDs are retained for historical accuracy but should not be treated as currently malicious. - Contributor handles -
malswarerefers to Mallory Bowes Brown (Principal Researcher, TPCI) — a legacy handle predating the Institute's formation. New records usembb. Contact: research@tpc.institute
Browse and search the full database at: https://the-privacy-commons-institute.github.io/chrome-mal-ids
Filter by campaign, threat type, browser, date, and active status. Click any entry for full details including research article links.
One ID per line — works with grep, MDM tools, custom scripts:
# Download
curl -O https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list.txt
# Check a specific ID
grep "YOUR_EXTENSION_ID" current-list.txt
# Scan all installed Chrome extensions (Linux/macOS)
comm -12 \
<(ls ~/.config/google-chrome/Default/Extensions/ | sort) \
<(grep -v '^#' current-list.txt | awk '{print $1}' | sort)Full metadata as a JSON array — ideal for developers and custom tooling:
https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list.json
import urllib.request, json
url = "https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list.json"
data = json.loads(urllib.request.urlopen(url).read())
exts = {e["ext_id"]: e for e in data["extensions"]}
# Check an ID
if "your_extension_id" in exts:
print(exts["your_extension_id"])Sigma rule covering all known malicious IDs — compatible with Splunk, Elastic, Microsoft Sentinel, and any Sigma-capable SIEM:
https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list-sigma.yml
Convert to your SIEM's native format with sigma-cli:
sigma convert -t splunk current-list-sigma.yml
sigma convert -t elastic-dsl current-list-sigma.yml
sigma convert -t sentinel current-list-sigma.yml# Download the full metadata CSV
curl -O https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list-meta.csv
# Check if a specific extension ID is malicious
grep "YOUR_EXTENSION_ID" current-list-meta.csvLinux / macOS:
curl -O https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/contrib/scripts/linux_mac/chrome-ext-check.sh
chmod +x chrome-ext-check.sh
./chrome-ext-check.shWindows (PowerShell):
Invoke-WebRequest -Uri https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/contrib/scripts/windows/Scan-ChromeExtensions.ps1 -OutFile Scan-ChromeExtensions.ps1
.\Scan-ChromeExtensions.ps1Two MISP formats are available — manual import or automated feed:
Manual import (misp-export.json):
MISP → Events → Import → MISP JSON → select misp-export.json
Automated feed (recommended — MISP polls automatically on a schedule):
MISP → Feeds → Add Feed:
Name: Malicious Chrome Extension IOC Database
Type: MISP Feed
URL: https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/formats/misp-feed/
Input source: Network
Distribution: Your organisation only
The feed creates one MISP event per campaign, with full attribute metadata, TLP:WHITE tags, and source references (see STATS.md for the current campaign count). Updates automatically with every new database commit.
The STIX 2.1 bundle is auto-generated on every update and available at:
https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/formats/chrome-mal-ids-stix.json
MISP — scheduled pull:
Events → Feeds → Add Feed → STIX 2.1 → paste URL above
OpenCTI — remote ingestion:
Data → Ingestion → Remote STIX2 Feeds → paste URL above
Subscribe to updates via the releases RSS feed:
https://github.com/The-Privacy-Commons-Institute/chrome-mal-ids/releases.atom
import csv, urllib.request
url = "https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list-meta.csv"
with urllib.request.urlopen(url) as r:
rows = list(csv.DictReader(line.decode() for line in r))
# Check a specific ID
target = "your_extension_id_here"
match = next((r for r in rows if r["EXTID"] == target), None)
if match:
print(f"MALICIOUS: {match['EXTID-NAME']} — {match['THREAT-TYPE']}")Live, auto-generated statistics — total IOC count, verified vs. third-party split, campaign breakdown, threat type breakdown, contribution methods, and currently monitored sources — are maintained in STATS.md, not duplicated here. STATS.md regenerates automatically as part of the commit pipeline, so it reflects the database's actual current state rather than a number frozen at whatever point this README was last edited.
All entries in this database are subject to ongoing verification using the TPCI-V multi-stage verification protocol developed by The Privacy Commons Institute.
| Stage | Method | Field |
|---|---|---|
| Stage 1 | Source review and ingestion | CONFIRM-MAL, REPORTED-MAL |
| Stage 2 | Chrome CRX update API | TPCI-VERIFY, STILL-ACTIVE |
| Stage 3 | Headless browser store verification | TPCI-VERIFY, STILL-ACTIVE |
| Stage 4 | Identity continuity check | TPCI-IDENTITY, TPCI-STORE-NAME |
| Stage 5 | Behavioral analysis (static CRX) | TPCI-BEHAVIORAL, TPCI-BEHAVIORAL-DATE |
Full methodology: tpc.institute
The database is updated by monitoring security research RSS feeds and GitHub repositories daily.
Current source list: See STATS.md for the full auto-generated list — it stays in sync with the monitoring pipeline automatically.
Sources include blogs and publications from: Koi Security / Palo Alto, Bleeping Computer, The Hacker News, Krebs on Security, Sekoia, Palant's Blog, Secure Annex, Trustwave SpiderLabs, The Record, SecurityWeek, and several GitHub IOC aggregation repositories.
To suggest a new source, open an issue.
Open an issue with:
- Extension ID (32-char string from the Chrome Web Store URL)
- Extension name
- Source article or research post
- Brief description of the malicious behavior
See SCHEMA.md for the full field specification before submitting a PR.
Some notable campaigns tracked in this list:
- Cyberhaven Dec 2024 — supply chain attack on a legitimate security extension
- DarkSpectre / ShadyPanda — 36+ extensions, 7.8M infected browsers
- Phoenix Invicta / Netflix Party — 60+ extensions circumventing Manifest V3 restrictions
- unknow.com spyware — 57 extensions, 6M users, cookie theft and remote control
- adindex ad fraud cluster — RCE via Firebase, session replay for ad fraud
- Koi RedDirection — browser hijack campaign across Chrome and Edge
- BIScience clickstream — browsing history collection under false pretenses
- And many more — browse the full list →
This dataset is licensed under CC BY 4.0.
You are free to use, share, and adapt this data for any purpose including commercially, provided you give appropriate credit:
Extension IOC data sourced from chrome-mal-ids by Mallory Bowes Brown https://github.com/The-Privacy-Commons-Institute/chrome-mal-ids
See LICENSE.md for full terms.
Maintained by @mallorybowes /
The Privacy Commons Institute
Pipeline tooling built with Claude (Anthropic)
Verification protocol: TPCI-V