Geeks for your information News Privacy & Security News v
260,000 Chrome Users Exposed by Fake AI Extensions Targeting Gmail
260,000 Chrome Users Exposed by Fake AI Extensions Targeting Gmail
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 15,854
Threads: 10,151
Thanks Received: 9,306 in 7,452 posts
Thanks Given: 10,217
Joined: 12 September 18
#1
Exclamation  7 hours ago
Quote:More than 260,000 Chrome users unknowingly installed browser extensions labeled as a helpful AI assistant. According to researchers at LayerX, the coordinated campaign involved over 30 fake Chrome extensions posing as services similar to ChatGPT and Claude.

We have seen a fair share of malicious Chrome extensions since Google released the initial version of its browser. From fake VPN extensions and outright malicious extensions to sophisticated session replay malware. While marketed as AI productivity tools, new add-ons would deploy spyware that steals browsing and Gmail data.

How Fake AI Extensions on the Chrome Web Store Worked?

Researchers discovered that the malicious AI extensions shared nearly identical code, permissions, and backend infrastructure. Instead of appearing as separate tools with different names and branding, they relied on the same underlying structure.

Security researcher Natalie Zargarov explained that the campaign exploited users’ trust in AI interfaces:
 
Quote:“By injecting iframes that mimic trusted AI interfaces, they’ve created a nearly invisible man-in-the-middle attack that intercepts everything from API keys to personal data before it ever reaches the legitimate service.”

The attack was especially effective because it integrated into normal AI interactions, where users are already getting used to sharing detailed information.

The “AiFrame” extension Architecture Explained

At the core of the operation was what researchers call an “AiFrame” extension architecture.

Instead of embedding full functionality inside the extension code reviewed by Google during installation, the extensions:
  • Loaded a full-screen iframe from remote domains (e.g., subdomains of tapnetic[.]pro)
  • Overlaid the current webpage
  • Acted as a fake AI interface
  • Pulled instructions dynamically from backend servers
This setup allowed attackers to change behavior remotely without pushing an updated version to the Chrome Web Store. In other words, what users installed wasn’t necessarily what was running later.

Continue Reading...
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
CrystalDiskInfo 9.8.0 [2026/02/15]
9.8.0 ​ Removed...harlan4096 — 17:07
K-Lite Codec Pack 19.4.5 / 19.4.9 Update
Changes in 19.4.9 ...harlan4096 — 16:30
Brave 1.87.188 (Chromium 145.0.7632.76)
Release v1.87.188 ...harlan4096 — 16:29
Opera 127.0.5778.64
New update to Oper...harlan4096 — 16:28
INTEL Arc Graphics 32.0.101.8509 driver
INTEL Arc Graphics...harlan4096 — 16:27

[-]
Birthdays
Today's Birthdays
avatar (39)MezirLal
Upcoming Birthdays
avatar (38)showercurtains
avatar (49)PeterWhink
avatar (46)dimaWeami
avatar (39)TranoTymn
avatar (38)Michaelaburi
avatar (46)dpascoal
avatar (51)Ronaldduh
avatar (39)legalgauch
avatar (44)Baihu
avatar (27)RaseinsLikes

[-]
Online Staff
There are no staff members currently online.

>