Malicious AI Extensions Compromise 300,000 Chrome Customers

A widespread cyberattack involving fraudulent Google Chrome extensions has impacted over 300,000 customers by leveraging the present demand for synthetic intelligence instruments. An investigation by safety agency LayerX has recognized a coordinated operation dubbed “AiFrame,” which utilized greater than 30 malicious add-ons to steal credentials, non-public emails, and shopping historical past.

The malicious extensions efficiently bypassed preliminary scrutiny on the official Chrome Net Retailer by showing as authentic AI sidebars, translators, and assistants. Among the many hottest have been:

• Gemini AI Sidebar: 80,000 installations.

• AI Sidebar: 70,000 installations.

• AI Assistant: 60,000 installations.

• ChatGPT Translate: 30,000 installations.

Technically, these extensions shared almost equivalent JavaScript logic and backend infrastructure. As an alternative of processing AI capabilities domestically, they loaded full-screen iframes from distant domains. This allowed the attackers to change the extensions’ conduct dynamically with out submitting new variations for retailer assessment, successfully evading safety updates.

Whereas customers believed they have been interacting with AI instruments, the plugins have been exfiltrating delicate information within the background. A subset of 15 extensions particularly focused Gmail. When a person accessed their inbox, scripts would set off to learn seen message content material and even seize e-mail drafts.

When customers utilized “AI options” to summarize or reply to messages, the content material was transmitted on to attacker-controlled servers. Moreover, some extensions included voice recognition capabilities to transcribe audio and ship transcriptions to distant servers.

Mitigation and Security Suggestions

Safety consultants advise customers to right away audit their browser extensions in opposition to the symptoms of compromise printed by LayerX. If any of the recognized malicious instruments are current, they need to be uninstalled instantly. Moreover, affected customers are strongly inspired to reset passwords for all delicate accounts, notably Gmail and different platforms accessed through the an infection interval.