Free VPN browser extensions can be tempting when you want to bypass geo-restrictions or protect your privacy without paying for a subscription. But a new report suggests that two seemingly harmless VPN extensions on Chrome and Firefox have been doing the exact opposite.
Researchers at Socket’s Threat Research Team have uncovered two browser extensions posing as free VPN services that were secretly updated to steal users’ clipboard contents. Combined, the Chrome and Firefox add-ons had nearly 3,700 users at the time of the researchers’ analysis, putting thousands of people at risk.
The affected extensions are:
VPN Go: Free VPN for Google Chrome (146 users)
Free VPN by VPN GO for Mozilla Firefox (3,522 users)
According to Socket, both extensions genuinely functioned as VPN/proxy tools, making them appear legitimate. However, later updates quietly introduced malicious code that continuously monitored users’ clipboards and transmitted copied data to servers controlled by the threat actors. That may not sound alarming at first, but consider how often you copy sensitive information throughout the day.
Passwords, one-time verification codes, cryptocurrency wallet addresses, recovery phrases, API keys, login links, cloud credentials, and even banking information are frequently copied and pasted rather than typed manually. If a malicious extension can read everything you copy, it may gain access to some of your most valuable digital secrets.
What makes the campaign particularly concerning is how it evolved. Socket found that the original Chrome extension, first published in December 2025, behaved like a normal VPN. The clipboard-stealing functionality wasn’t introduced until an update released in late May 2026. The Firefox extension followed a similar pattern, with earlier versions appearing clean before later updates added the malicious behavior.
In other words, users may have installed what looked like a legitimate VPN months earlier, only for it to become malicious after an automatic update.
To make matters worse, both extensions publicly claimed they did not collect user data. Their store listings and privacy policy promised privacy-focused browsing, while the underlying code was actively collecting clipboard contents and sending them to attacker-controlled servers.
Socket has since reported both extensions to Google and Mozilla for review and removal. But when I checked, only Google has removed the extension from the Chrome Web Store, but Mozilla hasn’t. In fact, the extension has gained more users on Firefox since Socket’s reporting, now standing at 3,522, up from the previously reported 3,499 users.
Google has already removed VPN Go: Free VPN from the Chrome Web Store
If either extension is installed on your browser, I strongly recommend removing it immediately. More importantly, you should assume that any sensitive information copied while the extension was active may have been exposed. That includes passwords, passkeys, recovery codes, cryptocurrency seed phrases, API tokens, cloud credentials, and any other confidential data you may have copied.
As a precaution, it’s also worth changing passwords for important accounts, rotating API keys where applicable, and enabling multi-factor authentication if you haven’t already.
The post PSA: Delete these ‘free VPN’ Chrome & Firefox extensions; they’re stealing your clipboard contents appeared first on PiunikaWeb.