A first-of-its-kind large-scale automated trust assessment has revealed widespread security risks across browser extensions, including AI agents, with only 9 out of 108 extensions earning a “Highly Trusted” status.
“Browser extensions are now one of the largest unmanaged attack surfaces in the enterprise. What makes this risk unique is the level of access and the speed of exposure, with frequent extension updates”— Ketan Nilangekar, Founder and CEO of ThreatWorx
The study by TrustModel.ai analyzed 100 of the most-installed Chrome extensions along with 10 leading AI browser agents, finding significant data exposure and security concerns amid a surge in supply chain attacks targeting browser extensions.
According to the findings, 43% of extensions have access to all websites visited by users, 46 monitor keyboard inputs, and 27 use eval() to execute dynamic code. The majority of extensions were placed in the “Use With Caution” category, while only a small fraction were deemed highly trusted.
The report also highlights rising extension-based cyberattacks, including phishing campaigns and compromised updates affecting millions of users, exposing sensitive data through malicious code injections and account takeovers.