152 Chrome Wallpaper Extensions with 105K Installs Linked to Adware and Fake Traffic

Cybersecurity researchers have discovered a network of 152 Google Chrome extensions that act as new tab live wallpaper add-ons to distribute a potentially unwanted program (PUP) family. The cluster spans 38 separate Chrome Web Store publisher accounts and three brand backends: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. They have been collectively installed 105,000 times. The

Researchers identified a coordinated cluster of 152 Chrome 'live wallpaper' extensions across 38 publisher accounts, collectively installed about 105,000 times, that distribute a potentially unwanted program family focused on adware, extensive user tracking, and fake Google organic traffic attribution.[2][4][5][7] These extensions log IP addresses, ISP, click counts, referrers, and can manipulate traffic signals for financial gain, and their JavaScript includes dormant capabilities to enumerate and delete IndexedDB databases when a service worker starts.[2][7] From a CyberSE.AI perspective, this illustrates AI supply chain and broader software supply chain risk for organizations that rely on browser-based AI tools and agents, since compromised or unvetted extensions in employee browsers can exfiltrate sensitive data, tamper with web storage used by AI applications, and corrupt telemetry used for AI-driven analytics. Enterprises using browser extensions with AI-powered workflows should treat the browser extension ecosystem as an external supply chain, enforce an approved extension allowlist, maintain a software bill of materials (SBOM) for critical browser-based AI integrations, and