The extension is Adblock for YouTube (ID cmedhionkhpnakcndndgjdbohmhepckk). Here is how to tell if it is on your browser right now.
- Open a new Chrome tab, type
chrome://extensionsinto the address bar, and press Enter. - Turn on Developer mode (toggle, top right) so each extension shows its ID.
- Scan your list for the name Adblock for YouTube or the ID
cmedhionkhpnakcndndgjdbohmhepckk. - If you find it, click Remove. There is no patched version, so removing it is the fix.
Even faster: open the Chrome Web Store listing ↗. If the button there reads “Remove from Chrome,” the extension is installed on your browser. If it reads “Add to Chrome,” you are in the clear.
- What: Island researchers found that Adblock for YouTube (ID cmedhionkhpnakcndndgjdbohmhepckk), a Featured Chrome extension with 10M+ installs, carries dormant infrastructure to inject arbitrary JavaScript on any site via a bespoke 'trusted-create-element' scriptlet rule.
- Impact: A single server-side config change could activate page-reading, data theft, and session hijacking across banking, work, and admin sessions in 10 million browsers, with no extension update and no store review.
- Fix / mitigation: Remove the extension now; enforce extension allowlisting via Chrome enterprise policy and scope permissions, since there is no patched version and the capability stays dormant rather than absent.
- Who's at risk: Anyone with the extension installed, especially organizations whose employees run it on managed browsers with access to sensitive web apps.
A Chrome ad blocker installed on more than 10 million browsers contains everything needed to run arbitrary JavaScript on every website its users visit. Researchers at Island found that 'Adblock for YouTube' (ID cmedhionkhpnakcndndgjdbohmhepckk), which carries a Featured badge on the Chrome Web Store, has had remote-controlled script injection paths in its code since February 2025. The capability is dormant, not absent. Flipping it on takes one server-side change: no extension update, no store review, no visible signal to the user.
There is no evidence a malicious payload has been delivered. That is the only piece of good news, and it is conditional. The architecture sits there waiting, and the people who control the server decide when it runs.
What the extension can actually do
The add-on does block YouTube ads as advertised, including preroll. It also ships a bespoke scriptlet rule the author calls 'trusted-create-element' that can construct arbitrary script elements at runtime. At the time of analysis that rule was not present in the server response, but the plumbing to invoke it is baked into the shipped extension. In practical terms, activation means reading page contents, exfiltrating data, and acting as the user inside any authenticated session: personal accounts, internal work apps, admin panels.
Researchers Oleg Zaytsev and Shachar Gritzman put it plainly: the capability is dormant, not absent. Activation requires one server-side change with no extension update and no store review. A clean static scan today tells you nothing about what runs tomorrow.
The youtube.com check is theater
Despite its name, the extension runs on every website the browser loads. It includes a gate that supposedly activates logic only when the current URL contains 'youtube.com.' The check only tests whether that string appears anywhere in the URL. It never validates the hostname, the frame origin, or the embedded player context. That makes it trivially bypassable by placing the string anywhere in a target URL.
- www.facebook.com/page?ref=youtube.com
- bank.example.com/search?q=youtube.com
- internal.corp.com/redirect?from=youtube.com
An attacker who controls the activation server, or who can shape a victim's traffic, can satisfy this gate against banks, social platforms, or corporate internal tools. Ad blockers already request broad permissions to inspect requests, alter pages, and hide elements as ad systems change, so the extension already holds the access it would need.
Why the lineage matters
Island's argument is not about one suspicious line. It is the combination. Adblock for YouTube has been on the store since 2014 and changed ownership in 2018. Early versions shipped an ad-injection SDK called Unistream, removed only in June 2024. Remote-controlled script injection paths appeared in February 2025 and have been constant since. Three sibling ad blockers tied to the same orbit have already been pulled from the Chrome Web Store for malware.
- Adblock for Chrome (ID onomjaelhagjjojbkcafidnepbfkpnee) - removed
- Adblock for You (ID ogcaehilgakehloljjmajoempaflmdci) - removed
- AdBlock Suite (ID gekoepiplklhniacchbbgbhilidiojmb) - removed
A high-install extension with all-sites access, a remote-controlled injection path, prior ad-injection infrastructure, a major ownership and codebase change, and related extensions removed for malware is not a coincidence stack. It is a loaded mechanism with a Featured badge.
This is the browser extension threat model
The same week, Palo Alto Networks Unit 42 reported 18 browser extensions impersonating consumer brands to monetize through affiliate fraud. On install, all of them opened a .shop domain in a new tab that redirected onward, cited fake incompatibility issues, and pushed users to install a gaming-oriented browser. Different goal, same lesson: store presence and install counts are not trust signals. Extensions update their behavior from servers you cannot see, and a Featured badge reviews a snapshot, not the runtime.
What to do now
Remove Adblock for YouTube from managed fleets and flag the four IDs above for blocking. There is no patch here, only removal and policy. Audit which high-permission extensions your users run, and treat all-sites access plus remote configuration as a standing risk regardless of vendor reputation.
- Uninstall the extension and block ID cmedhionkhpnakcndndgjdbohmhepckk plus the three removed siblings.
- Enforce an extension allowlist through Chrome enterprise policy (ExtensionInstallAllowlist / Blocklist) rather than trusting store curation.
- Inventory installed extensions and their permissions; prioritize anything with host access to all sites combined with scripting.
- Treat ad blockers and other broad-permission utilities as remotely updatable code, and re-review them on a schedule, not just at install.
- Educate users that install counts and Featured badges do not guarantee an extension is safe over time.
The developer has not yet responded to requests for comment. Until that changes, assume the safe state for this extension is uninstalled.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us