Microsoft

Microsoft removes 119 Edge extensions hiding malware in images and

TrendWatcher AI (Enhanced)·2h ago·neutral

Most covered nowLIVEsee all →

NFTcryptoHot20 stories AltcoinscryptoHot20 stories ChainlinkcryptoHot20 stories LitecoincryptoHot20 stories StablecoinscryptoHot20 stories Ethereumcrypto7 stories Microsofttech10 stories Fed Ratesfinance8 stories

At a glance
Extensions removed	119
Max install base	2.6 million users
Threat actor activity	Since 2021
Malware delivery method	Steganography in PNG, WebP, WOFF2 files

How the extensions worked

The extensions—ranging from ad blockers and VPNs to translators and video downloaders—functioned normally and earned positive reviews, allowing them to linger in the Edge Add‑ons store for years. Each carried dormant malicious code that activated only after passing a series of evasion checks, a delay that let the payload “wake up” days after install [1]. Early variants appended JavaScript after the IEND marker of a PNG icon; later versions switched to WebP images and WOFF2 font files, embedding code in glyph ranges that appear as Asian text or font metadata. Microsoft notes that such large‑scale steganography is rare in the browser‑extension ecosystem [1].

Impact and scope

The hidden payloads served two primary goals. First, they injected ads and hijacked affiliate links on sites such as Amazon, eBay and AliExpress, generating illicit revenue for the operators. Second, they stole credentials—including Google passwords, two‑factor codes, and WordPress admin logins—and exfiltrated cookies for session hijacking [1]. Microsoft’s analysis also found seven Google Analytics IDs used as covert telemetry, giving the actor near‑real‑time visibility into the campaign [1]. The operation employed more than ten command‑and‑control domains, leveraged Cloudflare Workers and GitHub Pages for hosting, and migrated from Manifest V2 to V3 as Edge evolved [1].

Market reaction

Microsoft’s removal of the extensions coincided with a modest dip in its stock price on the day of the announcement [2]. While the share movement reflects investor sensitivity to security incidents, the broader impact is limited to Edge users, as the extensions have now been taken down and the 90‑plus developer accounts behind them suspended [1]. The episode highlights the ongoing challenge for browser stores to vet add‑ons that appear benign but embed malicious code in non‑executable assets.

What to watch

Extension audit rollout – Microsoft may expand its review process for Edge add‑ons, potentially affecting future developer submissions.
Threat actor activity – Indicators of compromise released by Microsoft could surface in other Chromium browsers, signaling whether the campaign migrates elsewhere.
Edge market share – Any shift in user confidence could influence Edge’s adoption relative to Chrome and Firefox in the coming quarters.

The removal of the 119 StegoAd extensions removes a sizable covert attack vector, but the actor’s infrastructure and use of common asset types suggest the technique could reappear in other browsers or future extensions, keeping the security community on alert.

Keep reading

MicrosoftMicrosoft raises Xbox prices up to $150, announces layoffsTrendWatcher AI (Enhanced) · 2h ago MicrosoftMicrosoft shares down 17% in June, $570 billion loss, worst monthTrendWatcher AI (Enhanced) · 2h ago MicrosoftMicrosoft taps 33‑year‑old Jacob Andreou to revive Copilot AITrendWatcher AI (Enhanced) · 2h ago MicrosoftMicrosoft stock slides 12% after earnings, $357 B value lossTrendWatcher AI (Enhanced) · 2h ago MicrosoftFBI warns Microsoft 365 users of Kali365 passwordless phishing scamTrendWatcher AI (Enhanced) · 2h ago MicrosoftMicrosoft faces Italian regulator probe over M365 AI pricingTrendWatcher AI (Enhanced) · 2h ago

Coming upLIVEsee all →

JUN 30 · all day UTCcryptoCelestia Token Unlock JUN 30 · all day UTCcryptoOptimism Token Unlock JUL 1 · all day UTCcryptoWorldcoin Token Unlock JUL 1 · all day UTCcryptoSui Token Unlock JUL 2 · 12:30 UTCmacroUS Jobs Report (NFP)

Across the coverage

Coverage is mostly measured — 46 of 46 reports stay neutral.

Neutral 46

The Catalyst Brief

Know what’s about to move the market.

Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.

Free · 3-min read · one-click unsubscribe

Synthesized from 3 sources

AI-assisted synthesis by the TrendWatcher Editorial Desk · sourced from 3 outlets · Jun 29, 2026 · How we report

Published

Jun 29, 2026, 07:39 PM

Source

TrendWatcher AI (Enhanced)

Frequently asked · Microsoft

Why did Microsoft’s shares decline sharply in June?

Shares fell due to investor worries about high AI spending, potential erosion of demand for traditional software, and weaker-than‑expected Azure growth, leading to a 17% drop and a $570 billion loss in market value.

What is the valuation of Microsoft compared to its historical average?

The stock trades at about 19 times forward earnings, a discount to the S&P 500 multiple of 20 and well below its 10‑year average of 27.

What was the StegoAd campaign discovered by Microsoft?

StegoAd was a malicious extension operation that hid code in image and font files, delivering ad fraud and credential‑theft payloads across 119 Edge extensions with an estimated install base of up to 2.6 million users.

How did Microsoft respond to the malicious extensions?

Microsoft removed all 119 extensions, suspended over 90 developer accounts, and published remediation steps and indicators of compromise for users.

What are analysts' expectations for Microsoft’s revenue growth?

Analysts project revenue to grow 17% in the current fiscal year, accelerating to 18% by fiscal 2028 and 20% by fiscal 2029.

Explore More

Ethereum Bitcoin OpenAI Tesla Fed Rates Layer 2 Scaling