MalExt Sentry researchers disclosed a coordinated Chrome extension campaign called SearchJack on June 15, 2026, revealing that 23 Chrome extensions had silently routed approximately 758,000 users’ search queries through attacker-controlled relay servers — inserting an unauthorized advertising monetization layer into every search those users performed without their knowledge or consent. The extensions remained available in the Chrome Web Store at the time of disclosure.
How SearchJack Exploited Chrome’s settings_overrides API to Insert a Search Relay Into Every Query
The 23 SearchJack extensions exploited Chrome’s chrome_settings_overrides manifest feature, a legitimate API designed to let authorized extensions customize browser search behavior. SearchJack used it to replace users’ configured search engines with attacker-controlled relays. From the moment a user installed any of the 23 extensions, every search they performed routed through those relay servers before reaching any results page.
Data transmitted to attacker-controlled infrastructure included IP addresses, search queries, and device identifiers. The relay insertion generates unauthorized advertising revenue per query — each search producing a monetized impression that the user never authorized and that legitimate advertising platforms cannot distinguish from genuine user-initiated traffic.
The extensions were distributed under names including PerfecTab Search, Quick Search Tool, Better Search, NewTab.Search, Nautilus Search, Earth, Wanderlustar, Template Search, Earth 3D, My Focal Find, Great Start, Fresh Fruit Search, View Menu with Prices, Search Toggler, Easy Login, SearchThatWeb, Freshy Search, Video Search Extension, Get Maps & Driving Directions, Search Anything, Satelliten Earth, Surfer Search, and Fusebase Search.
Nautilus Search’s “Never Tracks Searches” Store Listing Contradicted by Its Own Privacy Policy
At least one SearchJack extension, Nautilus Search, explicitly claimed in its Chrome Web Store listing that it “never tracks searches or collects personal data.” The extension’s own privacy policy, published separately, acknowledges the data collection. The store listing and the privacy policy describe opposite behaviors for the same extension.
That contradiction is not an oversight. A user reading the Chrome Web Store listing before installing Nautilus Search received a direct assurance that the extension would not track their searches. That assurance was false. Every search the user conducted after installation was captured and transmitted to attacker relay infrastructure. No user who relied on the store listing had any basis to know their search history was being collected.
The Nautilus Search listing represents the clearest case of deliberate consumer deception in the SearchJack campaign, but the broader pattern across all 23 extensions — presenting search customization tools while covertly operating as query interception software — reflects an intentional misrepresentation of core functionality.
Why 758,000 Users’ Continuous Search Query Records Are More Sensitive Than a One-Time Breach
Search history is among the most revealing behavioral records a person generates. Health questions researched before a doctor appointment, legal concerns investigated before consulting an attorney, financial stresses, professional research, and personal matters all pass through a search bar. For 758,000 users, all of that passed through SearchJack’s relay servers — on every search, continuously from the moment of installation.
Unlike a one-time data breach where a fixed dataset is taken at a moment in time, the SearchJack collection was ongoing. The longer each extension remained installed, the more complete the behavioral profile available to the attacker’s infrastructure. A user who installed PerfecTab Search three months before the disclosure had three months of complete search history captured and transmitted. That is not a snapshot — it is a surveillance record.
Two Independent Chrome Extension Campaigns in 24 Hours Signal a Persistent Web Store Moderation Gap
SearchJack is a distinct campaign from the 152 “live wallpaper” extensions disclosed by Socket’s Threat Research Team the previous day — separate extensions, separate infrastructure, and a separate manipulation mechanism (search settings override versus ad impression fraud from a shared codebase). The back-to-back disclosures do not indicate coordination between the attackers behind each campaign. They indicate that Chrome Web Store moderation is failing to detect multiple independent malicious extension networks operating simultaneously at significant scale.
Both campaigns accumulated hundreds of thousands of installations before researchers discovered them through infrastructure analysis rather than automated platform review. Both used misleading privacy descriptions to reduce user suspicion. Neither was caught by the Chrome Web Store before public researcher disclosure triggered the need for removal.
Chrome users who have any of the 23 SearchJack extensions installed should remove them immediately. Going forward, users should treat extensions that request search settings permissions with heightened scrutiny — chrome_settings_overrides access is the exact capability the SearchJack campaign exploited to intercept every query its victims performed.
