Malicious AI Extensions Compromise 300,000 Chrome Customers

A widespread cyberattack involving fraudulent Google Chrome extensions has impacted over 300,000 customers by leveraging the present demand for synthetic intelligence instruments. An investigation by safety agency LayerX has recognized a coordinated operation dubbed “AiFrame,” which utilized greater than 30 malicious add-ons to steal credentials, non-public emails, and looking historical past.

The malicious extensions efficiently bypassed preliminary scrutiny on the official Chrome Net Retailer by showing as reputable AI sidebars, translators, and assistants. Among the many hottest had been:

• Gemini AI Sidebar: 80,000 installations.

• AI Sidebar: 70,000 installations.

• AI Assistant: 60,000 installations.

• ChatGPT Translate: 30,000 installations.

Technically, these extensions shared almost an identical JavaScript logic and backend infrastructure. As a substitute of processing AI features regionally, they loaded full-screen iframes from distant domains. This allowed the attackers to change the extensions’ habits dynamically with out submitting new variations for retailer assessment, successfully evading safety updates.

Whereas customers believed they had been interacting with AI instruments, the plugins had been exfiltrating delicate information within the background. A subset of 15 extensions particularly focused Gmail. When a person accessed their inbox, scripts would set off to learn seen message content material and even seize electronic mail drafts.

When customers utilized “AI options” to summarize or reply to messages, the content material was transmitted on to attacker-controlled servers. Moreover, some extensions included voice recognition capabilities to transcribe audio and ship transcriptions to distant servers.

Mitigation and Security Suggestions

Safety specialists advise customers to right away audit their browser extensions towards the indications of compromise revealed by LayerX. If any of the recognized malicious instruments are current, they need to be uninstalled instantly. Moreover, affected customers are strongly inspired to reset passwords for all delicate accounts, notably Gmail and different platforms accessed through the an infection interval.