Malicious AI Extensions Compromise 300,000 Chrome Customers

A widespread cyberattack involving fraudulent Google Chrome extensions has impacted over 300,000 customers by leveraging the present demand for synthetic intelligence instruments. An investigation by safety agency LayerX has recognized a coordinated operation dubbed “AiFrame,” which utilized greater than 30 malicious add-ons to steal credentials, personal emails, and shopping historical past.

The malicious extensions efficiently bypassed preliminary scrutiny on the official Chrome Net Retailer by showing as reliable AI sidebars, translators, and assistants. Among the many hottest had been:

• Gemini AI Sidebar: 80,000 installations.

• AI Sidebar: 70,000 installations.

• AI Assistant: 60,000 installations.

• ChatGPT Translate: 30,000 installations.

Technically, these extensions shared practically similar JavaScript logic and backend infrastructure. As a substitute of processing AI features domestically, they loaded full-screen iframes from distant domains. This allowed the attackers to change the extensions’ conduct dynamically with out submitting new variations for retailer evaluation, successfully evading safety updates.

Whereas customers believed they had been interacting with AI instruments, the plugins had been exfiltrating delicate information within the background. A subset of 15 extensions particularly focused Gmail. When a person accessed their inbox, scripts would set off to learn seen message content material and even seize e mail drafts.

When customers utilized “AI options” to summarize or reply to messages, the content material was transmitted on to attacker-controlled servers. Moreover, some extensions included voice recognition capabilities to transcribe audio and ship transcriptions to distant servers.

Mitigation and Security Suggestions

Safety specialists advise customers to right away audit their browser extensions towards the symptoms of compromise printed by LayerX. If any of the recognized malicious instruments are current, they need to be uninstalled instantly. Moreover, affected customers are strongly inspired to reset passwords for all delicate accounts, notably Gmail and different platforms accessed through the an infection interval.