Think about the last piece of software you formally approved for your business. A real evaluation — who needs it, what it can touch, who's responsible for it. Now think about how much software is actually running that never went through anything like that.
I'll tell you what I find when I look: a dozen browser extensions somebody added to "clean up PDFs," a handful of plugins on the company website that a marketing contractor installed two years ago, and a spreadsheet that quietly grew into an app the sales team now depends on. None of it was vetted. All of it is running with access to your work.
That's the part worth sitting with. We think of "installing software" as a deliberate act — a decision, a download, maybe a note to IT. It stopped being that a while ago. A browser extension is an install. A website plugin is an install. A low-code app your operations lead built over a weekend is an install. Each one is code, running with permissions somebody granted, and most days nobody remembers granting them.
Why I'm bringing this up now
Three separate stories landed recently, and they're really the same story told in three places.
First, the browser. Microsoft caught a Chrome extension called "Search for perplexity ai" that impersonated the real Perplexity AI tool. It logged every character typed into the address bar — including searches you started and abandoned — and shipped them off to a server the attacker controlled, then quietly forwarded you to real results so you'd never notice. The Hacker News covered the takedown. That wasn't a one-off: researchers also found a network of 152 "live wallpaper" extensions with about 105,000 installs that swore in their store listing they collected no data, while the fine print admitted they logged IPs and clicks and sold the traffic. The store's review process caught neither one quickly.
Second, the website. A critical flaw in the popular Everest Forms Pro WordPress plugin (CVE-2026-3300) is being actively exploited to take over sites completely — no login required. Wordfence reported blocking tens of thousands of attacks, and compromised sites turned up rogue administrator accounts nobody created. One aging plugin on your marketing site is all it takes.
Third, the quiet one. Gartner expects low-code and no-code tools to be behind roughly three-quarters of new business apps, with most of them built by people who don't work in IT. That's genuinely useful — until the app holding your customer list lives on a platform nobody in charge has ever seen.
Different headlines. Same root: software that got in without anyone checking the door.
The three doors, and what to do about each
You don't need to lock everything down. You need to see it, and put a little friction where it matters.
Browser extensions. Treat them like software installs, because they are. Open chrome://extensions (or your browser's equivalent) on a few machines and actually read the list. Remove anything nobody can name a reason for. Be especially wary of extensions wearing an AI logo right now — a familiar brand is the easiest disguise there is. Going forward, decide who's allowed to add one, and keep a short approved list instead of a free-for-all.
Website plugins. Every plugin on your WordPress site is code you're trusting with your storefront. Keep them updated — most real attacks hit a flaw that was patched weeks earlier and nobody applied. Delete plugins you're not using instead of leaving them "deactivated but installed," since dormant code still gets exploited. And know who's responsible for that update happening. If the honest answer is "no one," that's the finding.
Low-code and homegrown apps. Don't ban them — you'd lose a good thing and drive it underground anyway. Just make a list. What has your team built, on what platform, holding what data, and who owns it if it breaks? Ask specifically whether any of them touch real customer information or connect to your other systems. That inventory alone catches most of the risk.
The pattern under all of it
Every one of these is the same decision made quietly: this tool is helpful, so I'll add it. Usually that's fine. The problem is that nobody's keeping the list, so "a few helpful tools" becomes a sprawl of standing access no one can account for — and attackers go looking for exactly that.
Least privilege is the whole idea, and it's simpler than it sounds: a tool should hold the least access it needs, and someone should be able to say why it's there. When you can't answer that for something running in your business, you've found your next fifteen minutes of work.
Key takeaways
- Browser extensions, website plugins, and low-code apps are all software installs — code running with access your team granted, often without IT.
- Recent, real incidents hit all three: a keystroke-logging fake AI extension, a mass adware extension network, and an actively-exploited WordPress plugin flaw.
- You don't need to ban them. Inventory what's running, remove what nobody can justify, keep the rest patched, and decide who's allowed to add more.
How we help
Most of the small businesses we work with are surprised by what turns up when we finally take that inventory — not because anyone was careless, but because this kind of software never announced itself. That's the work we do: we help you see everything running across your browsers, your website, and your team's own tools, prune what shouldn't be there, and set up a sane way to approve what's next — so useful stays useful and doesn't quietly become your biggest exposure. If nobody owns that list at your company today, we'd be glad to help you build it — for businesses across New York and the Puget Sound alike.
Ready to talk it through?
Reach Amoeba Networks whichever way is easiest:
- Call (212) 444-9780
- Email info@amoebanetworks.com
- Use the contact form
- Or just click on Mike — the floating Contact button with his face in the corner of any page — to grab a time on his calendar.