Thirty malicious web browser extensions with more than a million installs in Google Chrome and Microsoft Edge have been leveraged as part of the new Dormant Colors malvertising campaign, reports BleepingComputer. Such extensions, which provide color customization options and are downloaded without any malicious code, perform search hijacking to facilitate affiliate link insertion to webpages, a report from Guardio Labs revealed. Attacks commence with the download of innocuous-looking color-changing extensions that redirect victims to different pages that side-load scripts for search hijacking and affiliate link insertion. "To finish it up, it also assigns a new URL to the location object so you are redirected to the advertisement that finalizes this flow as it is was just another advertisement popup," said researchers. Aside from performing affiliation hijacking, Dormant Colors operators could launch more severe compromises using the same side-loading approach, with the technique likely to be used for phishing pages aimed at exfiltrating Microsoft 365, social media, bank site, and Google Workspace credentials.