Microsoft has removed 119 malicious Microsoft Edge extensions, tied to a single actor active since at least 2021, that hid their payloads inside ordinary image and font files using steganography. The extensions posed as ad blockers, VPNs, translators, and similar tools, worked as advertised, and stayed dormant for days while passing evasion checks, which let them survive in the store for years and reach up to 2.6 million installs. Beyond ad fraud and affiliate hijacking, the more dangerous variants stole Google credentials and two-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies for session hijacking, with extra aggression against corporate and banking targets. Microsoft has published indicators of compromise.