I've been publishing browser extensions for over 15 years. Our team at Coffee & Fun runs several extensions with over 1,000,000 users each. I love extensions. I love the web. I wrote a whole post last year about how I'd improve the Chrome Web Store, and a lot of what I said then still stands. But things have gotten noticeably worse since then, and I think it's time to be blunt about it.
The Chrome Web Store and the Microsoft Edge Add-ons Store both have a quality problem, and it's accelerating fast.
What's Actually Happening Right Now
If you submit an extension update today, you're looking at four to five days for a review. That's not a one-off delay. That's become the new normal. And the reason is pretty straightforward: the review queue is absolutely swamped.
The rise of what people are calling "vibe coding", where someone uses AI to generate an entire extension in an afternoon, has created a tidal wave of new submissions. Everyone and their mother is shipping a Chrome extension right now. Most of them shouldn't be.
I'm not gatekeeping here. I genuinely want more developers building for the web. But there's a difference between someone learning to build something real and someone prompting an AI to spit out a Chrome extension they'll never maintain, wrapped in an AI-generated description with AI-generated icons and screenshots that look like they were taken on a phone from across the room.
Go browse the trending page on the Chrome Web Store right now. I'll wait.
The Screenshots Tell the Story
I spent ten minutes on the trending page and found enough examples to write this entire post. I'm not trying to be harsh to individual developers here, but the bar for what gets published, and even what gets featured, has dropped through the floor.
You'll find extensions with:
- AI-generated descriptions that all read like they came from the same prompt. You know the ones. "Elevate your browsing experience with this powerful yet lightweight extension that seamlessly integrates..."
- Icons that are clearly AI-generated with no thought to branding or clarity.
- Screenshots that are either blurry, cropped badly, or just show a random piece of UI with no context for what the extension actually does.
- Names and branding that ride on existing trademarks with no apparent enforcement.
I want to be clear: I'm not singling out any specific developer here, and no offence is intended to anyone whose extension I mention. These were found at random just by browsing the trending page for a few minutes, and that's kind of the point. You don't have to look hard.
Take Get Token Cookie. This is on the Chrome Web Store right now, listed under Social Networking with 400,000 users. Its interface is literally showing cookie and token extraction for Facebook. I have questions about how this passed review, but more importantly, it tells you something about the level of scrutiny extensions are getting.
Or look at this 2FA extension that uses the Google Authenticator branding, the Google blue, the Google name, right there in the listing image. It's not made by Google. It has a "Featured" badge. How did this pass? On the Apple App Store, this would be rejected in about thirty seconds for trademark issues alone.
Here's another one — RandomCats, a Featured extension that just shows random photos of cats. 567 users, 4 ratings, and a Featured badge. The screenshots are a single popup window. This is what the Featured badge is being given to now.
And then there's meowad, which replaces ads on Twitter with cat meowing. 4.9 stars, 56 ratings, and its description literally says "meow :3". I'm not making this up.
Again, nothing personal against these developers. But the fact that these listings exist unchallenged tells you everything about where the standards are right now. None of this would fly on Apple's platform. Say what you want about Apple's review process being slow or strict, but the result is that when you download something from the App Store, there's a baseline level of quality and trust. The screenshots look real. The descriptions are coherent. The branding is original. And if you try to impersonate another company's product, you're going to get rejected.
The Chrome Web Store used to have something resembling that. Right now, it doesn't.
Honestly, What Do These Add to the Store?
I want to ask a genuine question here. Look at these two listings side by side.
One is RandomCats. It shows random photos of cats. 567 users, 4 ratings, a single screenshot that's just the popup window. It has a Featured badge. The other is a 2FA extension that's wrapped itself entirely in Google's Authenticator branding — the name, the blue, the logo style — despite having nothing to do with Google. It also has a Featured badge.
What do these add to the store? What value do they bring to users? What problem are they solving that isn't already solved by a thousand other things?
Let's be honest about RandomCats. Should it even be in the store? It's a popup that shows a random cat photo. That's it. There's no utility, no problem being solved, no reason for it to exist as a browser extension when you could just open a browser tab and type "cat" into Google Images. This isn't a tool. It's barely a feature. And yet it passed review, got published, and somehow earned a Featured badge — the same badge that's supposed to tell users "this meets our highest standards." A popup that fetches a random cat photo meets Google's highest standards? Come on.
And the 2FA one is worse, because it's not just low effort — it's actively misleading. A regular user sees "Google Authenticator" in the listing image with a Featured badge and thinks Google made it. They trust it with their two-factor authentication codes. That's not a quality problem. That's a trust problem. That's the kind of thing that erodes confidence in the entire platform.
I keep coming back to the same thought: if you submitted either of these to the Apple App Store, they'd be rejected before lunch. The cat app would get flagged for low functionality. The 2FA app would get rejected for trademark violation. And honestly, that's the right call in both cases. Not because there's anything wrong with building a fun cat extension, but because a curated store has to mean something. If everything gets in, the curation means nothing.
The Chrome Web Store used to feel curated. Now it feels like a free-for-all, and the Featured badge is just along for the ride.
The "Featured" Badge Has Lost Its Meaning
I wrote about this last year, and it's only gotten worse. The Featured badge is supposed to signal that an extension meets Google's standards for quality, design, and best practices. It used to mean something.
Now? Look at the examples above. Extensions with AI-generated icons, boilerplate descriptions, screenshots that wouldn't pass a college presentation review, and outright trademark infringement — all wearing the same badge as extensions built by teams who've spent years earning user trust. If Featured doesn't meaningfully separate high-quality extensions from the rest, what's the point of it?
For developers like us who put real effort into meeting those standards, maintaining clean code, writing proper descriptions, designing real screenshots, following Material Design guidelines, it's frustrating. The badge that's supposed to reward that effort is being handed out like candy.
The Review Backlog Is Hurting Real Developers
Here's the practical impact. When I push a bug fix for an extension used by over a million people, I now wait four or five days for it to clear review. That's four or five days where users are sitting on a known bug because the review team is buried under a mountain of AI-generated "productivity boosters" and "tab managers" that nobody asked for.
This isn't a theoretical problem. This is costing real developers real time and affecting real users. The review queue is a shared resource, and it's being consumed disproportionately by submissions that probably shouldn't exist in the first place.
It's Not Just About Quality. It's About Security.
The low bar for getting on the Chrome Web Store isn't just a quality problem. It's a security problem, and the last 18 months have made that painfully clear.
In December 2024, attackers ran a phishing campaign that compromised developer accounts and injected data-stealing malware into 36 Chrome extensions, collectively used by 2.6 million people. One of the victims was Cyberhaven, a data security company, whose compromised extension was used to exfiltrate cookies and authenticated sessions. The phishing email was disguised as official communication from "Google Chrome Web Store Developer Support," and despite the developer having MFA and Google Advanced Protection enabled, the attacker still got in through a malicious OAuth app. These weren't shady no-name extensions. These were legitimate products with real user bases.
It didn't stop there. On Christmas Eve 2025, the Trust Wallet Chrome extension was hit by a supply chain attack after a Chrome Web Store API key was leaked through exposed GitHub secrets. The attacker pushed a malicious update that stole users' seed phrases every time the wallet was unlocked and drained approximately $8.5 million in cryptocurrency from over 2,500 wallets to 17 attacker-controlled addresses. The malicious version bypassed the vendor's own internal release controls because the attacker had the API key to publish directly to the store.
In early 2026, researchers found 287 Chrome extensions with 37.4 million total installations that were quietly exfiltrating browsing history to data brokers. That's roughly 1% of the entire global Chrome user base. Around the same time, another campaign was caught stealing ChatGPT and DeepSeek conversations from over 900,000 users through extensions that looked like legitimate AI tools. And in March 2026, an extension was transferred to a new owner and turned malicious, injecting code and stealing user data — despite having previously received a "Featured" badge.
Then there's DarkSpectre, a campaign attributed to a Chinese threat actor that ran across multiple browser extension operations — ShadyPanda, Zoom Stealer, and GhostPoster — affecting 8.8 million users over seven years. Seven years. That's how long malicious extensions can operate before getting caught. And as researchers warned: "DarkSpectre likely has more infrastructure in place right now — extensions that look completely legitimate because they are legitimate, for now. They're still in the trust-building phase, accumulating users, earning badges, waiting."
This is what happens when the barrier to entry is five dollars and there's no real identity verification. Attackers can create throwaway developer accounts, phish their way into legitimate ones, or just buy ownership of existing extensions and flip them malicious overnight. The current system makes all of this too easy.
Every one of these incidents is an argument for higher standards, verified developer identities, and a review process that actually catches this stuff before millions of users are affected.
What I Think Should Change
I've been thinking about this for a while, and I don't think the solutions need to be complicated. They just need to exist.
Raise the Submission Standards
Before an extension gets published, it should meet a basic bar. Original icons and branding, not AI-generated placeholder art. Screenshots that actually show the extension working. Descriptions written by a human who has used the product. No trademark infringement in listing images or names.
These aren't unreasonable asks. This is the bare minimum for any app store that wants to maintain user trust.
Increase the Developer Fee
Right now, it costs $5 one-time to register as a Chrome Web Store developer. Five dollars, once, forever. That's it. There's essentially no financial barrier to flooding the store with junk.
I think the fee should go up to $50 a year. Will that exclude some people? Maybe. But it would also dramatically cut down on throwaway accounts and low-effort spam. If you're serious about building something people will use, fifty dollars a year is nothing. If you're spinning up extensions for SEO juice or to test what ChatGPT can build in an afternoon, maybe you think twice.
Apple charges $99 a year for their developer program. Google Play charges $25 one-time. The Chrome Web Store's $5 lifetime fee is out of step with every other major platform.
Require Real Developer Identity
No more anonymous developers. If you're publishing code that runs in someone's browser, that has access to their tabs, their cookies, their browsing data, you should have a verified identity attached to your account. A real name, a real organization, something that creates accountability.
This isn't about privacy for developers. This is about trust for users. When someone installs an extension, they're giving it real access to their digital life. They deserve to know there's a real person or company behind it, someone who can be held accountable.
Actually Enforce Trademark Rules
If an extension listing uses another company's name, logo, or branding in a way that implies affiliation, reject it. Full stop. The fact that someone can put "Google Authenticator" branding on an unrelated extension and get a Featured badge is, frankly, embarrassing for the platform.
This Isn't Just a Google Problem
I've focused mostly on the Chrome Web Store here because that's where we do most of our work, but the Edge Add-ons Store has the same issues. Microsoft has the same review bottlenecks, the same influx of AI-generated extensions, and the same lack of quality enforcement.
Both platforms need to step up. The browser extension ecosystem is a genuinely powerful part of the web, and it deserves better stewardship than what it's getting right now.
To Google, to Microsoft, to Anyone Listening
I'm not writing this to complain. I'm writing this because I care about this ecosystem. I've spent 15 years building for it. Our extensions are used by millions of people. I want the web store to be a place where good work gets recognized and users can install extensions with confidence.
Right now, it's heading in the wrong direction. The flood of low-effort, AI-generated extensions is degrading the experience for users and developers alike. The review backlog is punishing the developers who are actually maintaining quality products. And the standards that are supposed to protect the platform are either not being enforced or aren't high enough to begin with.
The fixes aren't complicated. Higher standards, real fees, verified identities, trademark enforcement. Other platforms already do this. It's time for the Chrome Web Store and Edge Add-ons Store to catch up.
If anyone from Google or Microsoft is reading this, I'd love to talk. Reach out anytime at [email protected].
Robert James Gabriel is the founder of Coffee & Fun LLC, a software company focused on browser extensions and web tools. He has been developing and publishing extensions for over 15 years.