threat-wire

Popular Chrome Ad Blocker Hides a Dormant Code Injection Path

A Chrome extension called Adblock for YouTube, installed more than 10 million times, contains a hidden way to run any code the developer chooses on every site you visit. Researchers at Island found it is switched off for now, but it could be turned on from the developer's server with no update and no review. The safe move is to remove it.

By SecureBusinessHub Editorial, International cybersecurity desk — 2026-06-25 · 5 min read

An ad blocker should do one thing: hide ads. A popular Chrome extension called Adblock for YouTube, with more than 10 million installs and a Featured badge on the Chrome Web Store, turns out to carry a second capability its name never mentions. Researchers at Island found it can run arbitrary JavaScript on any page the browser loads.

For now, that capability is dormant. The code path exists, but the developer's server is not using it. Island's point is that the gap between dormant and active is a single change on that server, with no extension update and no trip back through Google's review. Nothing visible would change for the 10 million people running it.

Why an ad blocker can do so much damage

Ad blockers ask for broad permissions by design. To strip ads from pages they need to read and rewrite whatever you load, which means an extension trusted to remove ads is also trusted to read your webmail, your banking session, and your company's admin panels. If that access is ever pointed at theft instead of ad removal, it can copy data and act inside your accounts as you.

The extension also misstates where it runs. It claims to work only on YouTube, but the check it uses just looks for the text youtube.com anywhere in the address. Put that string in any URL and the check passes, so in practice it runs everywhere.

The history is the worrying part

Adblock for YouTube has been on the store since 2014 and changed hands in 2018. Earlier versions shipped with ad-injection software that was only removed in 2024, and several related ad-blocking extensions have since been pulled from the store for malware. Island found the remote script-injection path has been present since February 2025. There is no evidence a malicious payload has actually been pushed to users, and that is worth stating plainly. The concern is the combination: a huge install base, access to every site, a remote switch, and a history that points the wrong way.

What to do today

• Open chrome://extensions and look for Adblock for YouTube (extension ID cmedhionkhpnakcndndgjdbohmhepckk); remove it if present.
• Check the permissions on every ad blocker you run; treat anything with access to all sites as high risk and keep only what you trust.
• Prefer open-source ad blockers whose code can be inspected over closed extensions that have changed ownership.
• On company devices, build an allow-list of approved extensions rather than letting staff install whatever they find.
• After removing a suspect extension, change passwords for any sensitive account you used in that browser, since you cannot see what a dormant path may have done.

This is the quiet risk in browser extensions generally. People install one for a small convenience, grant it the run of every page, and never look at it again. A malicious browser extension does not have to be hostile on day one. It only has to be sold, updated, or switched on by someone who is.

• The Hacker News: Chrome ad blocker dormant injection
• Island: defending against browser extension data exfiltration