Fake AI Chrome extensions with 300K users steal credentials, emails
Source: Bleeping Computer
A set of 30 malicious Chrome extensions that have been installed by more than 300,000 users are masquerading as AI assistants to steal credentials, email content, and browsing information.
Some of the extensions are still present in the Chrome Web Store and have been installed by tens of thousands of users, while others show a small install count.
Researchers at browser security platform LayerX discovered the malicious extension campaign and named it AiFrame. They found that all analyzed extensions are part of the same malicious effort as they communicate with infrastructure under a single domain, tapnetic[.]pro.
According to LayerX, the most popular extension in the AiFrame campaign had 80,000 users and was called Gemini AI Sidebar (fppbiomdkfbhgjjdmojlogeceejinadg), but it is no longer on the Chrome Web Store.
However, BleepingComputer found that other extensions with thousands of users are still present on Google’s repository for Chrome extensions. The names may differ in some cases, but the identification is the same.
- AI Sidebar (
gghdfkafnhfpaooiolhncejnlgglhkhe) – 70,000 users - AI Assistant (
nlhpidbjmmffhoogcennoiopekbiglbp) – 60,000 users - ChatGPT Translate (
acaeafediijmccnjlokgcdiojiljfpbe) – 30,000 users - AI GPT (
kblengdlefjpjkekanpoidgoghdngdgl) – 20,000 users - ChatGPT (
llojfncgbabajmdglnkbhmiebiinohek) – 20,000 users - AI Sidebar (
djhjckkfgancelbmgcamjimgphaphjdl) – 10,000 users - Google Gemini (
fdlagfnfaheppaigholhoojabfaapnhb) – 10,000 users
LayerX found that all 30 extensions share the same internal structure, JavaScript logic, permissions, and backend infrastructure.
The malicious browser add‑ons do not implement AI functionality locally; instead, they deliver the promised feature by rendering a full‑screen iframe that loads content from a remote domain. This is risky because publishers can change the extensions’ logic at any time without pushing an update—similar to the case of Microsoft Office Add‑ins—thus avoiding a new review.
In the background, the extensions extract page content from websites the user visits, including sensitive authentication pages, using Mozilla’s Readability library.
A subset of 15 extensions specifically targets Gmail data, using a dedicated content script that runs at document_start on mail.google.com and injects UI elements. The script reads visible email content directly from the DOM and repeatedly extracts email thread text via .textContent. Even email drafts can be captured.
“When Gmail‑related features such as AI‑assisted replies or summaries are invoked, the extracted email content is passed into the extension’s logic and transmitted to third‑party backend infrastructure controlled by the extension operator,” – LayerX.
“As a result, email message text and related contextual data may be sent off‑device, outside of Gmail’s security boundary, to remote servers.”
The extensions also feature a remotely triggered voice recognition and transcript generation mechanism using the Web Speech API, returning the results to the operators. Depending on the granted permissions, the extensions may even siphon conversations from the victim’s environment.
BleepingComputer has contacted Google for comment on LayerX findings, but no response was received by publication time.
Recommendations
- Check LayerX’s list of indicators of compromise for the complete set of malicious extensions.
- If compromise is confirmed, reset passwords for all affected accounts.