Is picture in picture safe?

Critical risk

Malicious extension that transmits every visited URL to developer's server (backend.pictureinpic.com) and injects iframes with server-controlled content into web pages, enabling remote code execution and credential theft.

v2.2.5Chrome Web Store
100Risk

AI-generated. Findings may contain errors. Those marked Verified have been manually reviewed.

Publishers can request a review.

Findings

Updated 21 May 2026hjbbfikgfdpfaabifikbadhgmofabpam