Modern companies move fast by default, and the push for AI-driven productivity is accelerating the pace even further. But the relentless pursuit of speed, often turbocharged by seemingly-innocuous tools, risks sidelining essential security practices, creating unseen vulnerabilities.

A new report from browser security firm LayerX Security quantifies just how pervasive—and potentially perilous—this trade-off has become, focusing squarely on the ubiquitous browser extension. LayerX says the report (available here), which combines public extension store data with telemetry from its enterprise customer base, paints a picture of widespread adoption coupled with significant, often unmanaged, risk.

Ubiquitous and underestimated: According to the report, browser extensions are virtually everywhere in the enterprise, with 99% of users having at least one installed. More concerningly, over half (53%) have more than 10 extensions running, dramatically expanding the potential attack surface associated with each employee.

Privilege creep: The risk isn't just about quantity. LayerX found that 53% of enterprise users have installed extensions demanding "high" or "critical" permission scopes. These permissions can grant extensions access to sensitive corporate data, including cookies, passwords, web page content, and browsing history—effectively turning a productivity tool into a potential internal threat vector. "Browser extensions have quietly become one of the most overlooked threat surfaces in enterprise environments," said Or Eshed, CEO and Co-founder of LayerX Security, in the company's announcement.

GenAI accelerant: The drive for AI capabilities is further complicating the picture. LayerX reports that over 20% of enterprise users have installed a GenAI-enabled browser extension. These tools, often adopted rapidly by employees seeking efficiency gains, tend to be riskier than average, with 58% possessing high or critical permissions – double the average rate for other extensions, according to LayerX. This suggests employees may be bypassing corporate AI controls and introducing significant data access risks through unchecked extensions.

Trust black hole: Compounding the issue is a fundamental lack of transparency and vetting in the extension ecosystem. LayerX's research found that over half (54%) of extension publishers are identified only by a free webmail address (like Gmail), and a vast majority (79%) have only ever published a single extension—making it difficult for IT teams to assess publisher reputation. Furthermore, 51% of extensions haven't been updated in over a year, raising concerns about unpatched vulnerabilities and potentially abandoned software. LayerX also noted that 26% of extensions in enterprise environments were "sideloaded," installed directly onto the browser outside of official stores, bypassing even basic vetting processes.

Known attack vector: While LayerX focuses on permissions and vetting, the broader security community recognizes extensions as an active threat channel. Recent reporting highlighted separate research from SquareX concerning polymorphic extensions designed to spoof legitimate add-ons for credential theft. Another report, from Ontinue, noted the increasing use of browser extensions by cybercriminals to deliver malware and maintain persistence within compromised systems.

Recommendations: Based on its findings, LayerX advises organizations to adopt a proactive stance. Their recommendations, outlined in a The Hacker News post, include auditing all extensions, categorizing them by risk, enumerating permissions, performing holistic risk assessments considering publisher reputation and update frequency, and applying adaptive, risk-based enforcement policies.