Security boffins at Koi Security have warned of a shift in behavior of a popular Chrome VPN extension, FreeVPN.One, which recently appears to have begun snaffling screenshots of users' page activity and transmitting them to a remote server without their knowledge – and Google has yet to take it down.

"FreeVPN.One shows how a privacy branding can be flipped into a trap," Koi's Lotan Sery writes in the company's research report. "They've earned verified status and even featured placement on the Chrome Web Store. And while Chrome claims to perform security checks on new versions of extensions, using automated scans, human reviews, and monitoring for malicious code or behavior changes — the reality is that these safeguards failed. This case shows that even with those protections in place, dangerous extensions can slip through, highlighting serious gaps in security across major browser marketplaces."

The report into the FreeVPN.One extension comes amid a surge of interest in VPNs following the introduction of the UK's Online Safety Act. The Act requires certain websites – though not necessarily just the ones you're thinking of – to verify the age of their visitors. If Children's Commissioner Dame Rachel de Souza has her way, however, at least kids won't fall foul of malicious VPNs.

Koi's research found that the extension, which had more than 100,000 verified installations at the time of publication, is silently capturing screenshots a little over a second after each page load before transmitting them to a remote server – initially in the clear, then in a later update obfuscated with encryption. The behavior, the researchers claim, was introduced in July – after laying the groundwork with smaller updates which requested additional permissions to access all sites and inject custom scripts.