Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts

Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud. The company calls it StegoAd, a mash-up of steganography and adware, and ties 119 extensions to a single threat actor it says has been active since at least 2021.

The article reports that Microsoft removed 119 malicious Edge extensions (the StegoAd campaign) that used steganography to hide malware in image and font files, then activated days after installation to steal credentials and conduct ad fraud.[1][2] These browser extensions were distributed via an official store, demonstrating how trusted software distribution channels can be abused over multiple years by a single threat actor.[1][5] From a CyberSE.AI perspective, this highlights an AI and software supply chain risk: any AI agent or browser-integrated automation that relies on compromised extensions, web stores, or unvetted plugins can have its inputs, credentials, and actions silently hijacked. Organizations should treat browser extensions and AI-integrated add-ons as third‑party components in their SBOM, enforce strict extension policies, and continuously assess and monitor extension-based and plugin-based dependencies in AI agents for hidden payloads and post‑install behavior.