Malicious AI Extensions Compromise 300,000 Chrome Customers

A widespread cyberattack involving fraudulent Google Chrome extensions has impacted over 300,000 customers by leveraging the present demand for synthetic intelligence instruments. An investigation by safety agency LayerX has recognized a coordinated operation dubbed “AiFrame,” which utilized greater than 30 malicious add-ons to steal credentials, personal emails, and looking historical past.

The malicious extensions efficiently bypassed preliminary scrutiny on the official Chrome Net Retailer by showing as reliable AI sidebars, translators, and assistants. Among the many hottest had been:

• Gemini AI Sidebar: 80,000 installations.

• AI Sidebar: 70,000 installations.

• AI Assistant: 60,000 installations.

• ChatGPT Translate: 30,000 installations.

Technically, these extensions shared practically equivalent JavaScript logic and backend infrastructure. As an alternative of processing AI capabilities domestically, they loaded full-screen iframes from distant domains. This allowed the attackers to change the extensions’ conduct dynamically with out submitting new variations for retailer evaluation, successfully evading safety updates.

Whereas customers believed they had been interacting with AI instruments, the plugins had been exfiltrating delicate information within the background. A subset of 15 extensions particularly focused Gmail. When a consumer accessed their inbox, scripts would set off to learn seen message content material and even seize electronic mail drafts.

When customers utilized “AI options” to summarize or reply to messages, the content material was transmitted on to attacker-controlled servers. Moreover, some extensions included voice recognition capabilities to transcribe audio and ship transcriptions to distant servers.

Mitigation and Security Suggestions

Safety consultants advise customers to right away audit their browser extensions in opposition to the indications of compromise revealed by LayerX. If any of the recognized malicious instruments are current, they need to be uninstalled instantly. Moreover, affected customers are strongly inspired to reset passwords for all delicate accounts, significantly Gmail and different platforms accessed in the course of the an infection interval.