Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

SMB Cyber Intelligence Brief: Malicious browser extensions and software supply‑chain risk

What small and medium-sized businesses should look out for today.

High Monday 29 June 2026, 13:07 UK time
Today’s look-out: Credential theft via browser add-ons + supplier/software supply-chain compromise

What to look out for today

1) Malicious Microsoft Edge extensions removed from the Edge Add-ons store. These add-ons were designed to look normal, then activate days after install to steal credentials and run ad fraud.

2) Software supply-chain risk from hijacked developer packages (npm and Go). These were reported as being used to deploy an information stealer across Windows, macOS and Linux, potentially impacting businesses via internal apps, scripts, or outsourced development.

Why this matters to smaller businesses

  • Browsers are where work happens: email, Microsoft 365/Google Workspace, accounting, CRM and payroll. If a browser session or password is stolen, attackers can move quickly into business systems.
  • Extensions often bypass normal controls: staff can install add-ons without realising they are granting high levels of access (reading webpages, injecting content, capturing form data).
  • Supplier ripple effects: even if you don’t write software, your IT provider, web agency or an internal “power user” may rely on open-source packages and tools that can be tampered with.

Warning signs

  • Staff report a new browser toolbar/extension they don’t remember installing, or “helpful” add-ons for coupons, PDF/AI tools, video downloaders, or productivity boosters.
  • Unexpected sign-in prompts, repeated MFA requests, or password reset emails for Microsoft 365/Google/Banking that nobody requested.
  • New or unusual logins to email/SaaS from unfamiliar locations or devices (often spotted in Microsoft/Google security alerts).
  • Developer/supplier mentions an “urgent dependency update” or unexplained build issues in websites/apps (a potential early indicator of package compromise concerns).

How attackers may exploit the situation

  • Extension-led credential theft: a malicious extension can capture passwords, session tokens, or alter what users see in the browser (e.g., changing payment details on invoices shown in a portal).
  • Ad fraud and persistence: even if the goal starts as ad fraud, attackers often re-use the same access to attempt account takeover.
  • Supply-chain compromise: tampered packages can quietly add data-stealing behaviour into internal tools, websites, or scripts used by staff or managed service providers.

What to do today

  • Audit browser extensions on company devices (starting with finance and anyone with admin access). Remove anything not needed for the role.
  • Lock down extension installs where possible: use an allow-list approach for approved extensions on managed devices.
  • Reinforce MFA hygiene: tell staff to report unexpected MFA prompts immediately (don’t approve “to make it stop”).
  • Check your key SaaS alerts (Microsoft 365/Google, accounting, payroll): review recent sign-ins and add/confirm alerting for suspicious logins.
  • Supplier check-in: if you rely on a developer, MSP or web agency, ask what they are doing to reduce risk from compromised open-source packages.

Ask your IT provider

  • Can we see an inventory of installed browser extensions across managed endpoints, and can you enforce an approved list?
  • Do you have policies to block or restrict Edge/Chrome extension installs for non-admin users?
  • What monitoring do we have for impossible travel / unusual sign-ins to Microsoft 365/Google and other critical SaaS?
  • For any software work you do for us: what controls are in place for dependency/package risk (e.g., review/approval of new packages, reproducible builds, and rapid response if a package is later found malicious)?

Patch watch - only one short paragraph, and only if relevant

A critical issue with libssh2 (CVE-2026-55200) has public proof-of-concept code reported. This is a client-side SSH library issue (i.e., software connecting to an SSH server). Ask your IT provider or software suppliers whether any tools, appliances, or applications you use embed libssh2 and what their plan/timeline is for updates or mitigations.

One action today

Run a 15-minute audit today: list and remove any unapproved browser extensions on finance/admin machines, then message staff to report unexpected MFA prompts immediately.

Related Actions On Cyber resource

CTA: Use the Actions On Cyber “Phishing & Suspicious Sign-in Response” mini-checklist (what to do in the first 30 minutes).

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.