Malicious AI Extensions Compromise 300,000 Chrome Customers

A widespread cyberattack involving fraudulent Google Chrome extensions has impacted over 300,000 customers by leveraging the present demand for synthetic intelligence instruments. An investigation by safety agency LayerX has recognized a coordinated operation dubbed “AiFrame,” which utilized greater than 30 malicious add-ons to steal credentials, personal emails, and searching historical past.

The malicious extensions efficiently bypassed preliminary scrutiny on the official Chrome Internet Retailer by showing as reliable AI sidebars, translators, and assistants. Among the many hottest had been:

• Gemini AI Sidebar: 80,000 installations.

• AI Sidebar: 70,000 installations.

• AI Assistant: 60,000 installations.

• ChatGPT Translate: 30,000 installations.

Technically, these extensions shared practically an identical JavaScript logic and backend infrastructure. As a substitute of processing AI capabilities regionally, they loaded full-screen iframes from distant domains. This allowed the attackers to change the extensions’ habits dynamically with out submitting new variations for retailer evaluate, successfully evading safety updates.

Whereas customers believed they had been interacting with AI instruments, the plugins had been exfiltrating delicate knowledge within the background. A subset of 15 extensions particularly focused Gmail. When a consumer accessed their inbox, scripts would set off to learn seen message content material and even seize e-mail drafts.

When customers utilized “AI options” to summarize or reply to messages, the content material was transmitted on to attacker-controlled servers. Moreover, some extensions included voice recognition capabilities to transcribe audio and ship transcriptions to distant servers.

Mitigation and Security Suggestions

Safety consultants advise customers to right away audit their browser extensions in opposition to the symptoms of compromise printed by LayerX. If any of the recognized malicious instruments are current, they need to be uninstalled instantly. Moreover, affected customers are strongly inspired to reset passwords for all delicate accounts, notably Gmail and different platforms accessed in the course of the an infection interval.