This detection rule identifies instances where a Chromium-based browser (Google Chrome, Brave Browser, or Microsoft Edge) is executed with the command line argument `--load-extension`, which is commonly employed by threat actors to load malicious extensions that may extract sensitive data like cookies and authentication tokens. The rule checks for processes on macOS with specific parent executables to mitigate false positives from common browser automation tools (Cypress and ChromeDriver) and developer activities. When triggered, this rule suggests that an inspection of the browser process and the loaded extension should occur to prevent potential data theft and system compromise. A comprehensive investigation is necessary to analyze the loaded extension's properties and functionality, determine any unauthorized activities, and establish the origin of the malicious extension loading.