Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability

An analysis of a popular Google Chrome ad block extension for YouTube has uncovered the ability to execute arbitrary JavaScript code. According to Island, the extension, named Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), has more than 10 million installs and carries a Featured badge on the Chrome Web Store. The extension description states that it allows users to prevent web

The article reports that the popular Chrome extension Adblock for YouTube (10M+ installs, Featured badge) contains an architecture that allows a backend-controlled path to execute arbitrary JavaScript on users’ browsers, even though no active exploitation has been observed yet.[2][5] Researchers highlight that this capability can be enabled server-side without any new extension version or Chrome Web Store review, and that the extension runs on all sites with weak URL checks, making it possible to escalate from ad blocking to full session manipulation via a configuration change.[2][4][5] From a CyberSE.AI perspective, this represents an AI-adjacent supply chain risk pattern: a widely trusted browser component can silently gain expansive script-execution capabilities that could later be used to target AI-powered web apps, in-browser AI agents, or data flowing into AI systems. Organizations relying on browser-based AI tools should treat high-privilege extensions as third‑party code in their AI supply chain, applying extension allowlists, SBOM-style inventory and review, and continuous red teaming of browser+extension stacks that interact with sensitive AI workflows.