260,000+ Chrome Users Tricked by Fake AI Extensions Harvesting Sensitive Data

More than 260,000 Google Chrome users have been duped into installing malicious browser extensions that pose as artificial intelligence assistants but secretly siphon sensitive data to attacker-controlled servers. Researchers at LayerX uncovered 30 nearly identical extensions on the Chrome Web Store, all designed to impersonate AI-powered tools while covertly harvesting user information.

The campaign marks a shift in extension-based attacks. Rather than spoofing banks or login portals, threat actors are now exploiting user trust in AI interfaces, environments where people routinely paste API keys, internal documents, source code, and confidential data without hesitation.

Many of the extensions accumulated tens of thousands of downloads individually, with several maintaining high ratings and even earning Chrome Web Store “Featured” badges, lending them a veneer of legitimacy.

Malicious Extensions Masquerade as AI Assistants

The fraudulent apps carried names such as “Gemini AI Sidebar,” “ChatGPT Translate,” “AI Sidebar,” “AI GPT,” and “AI Assistant.” Some impersonated well-known chatbot brands directly. Others relied on vague branding designed to create subconscious associations with trusted AI providers.

According to LayerX researcher Natalie Zargarov, the tactic capitalizes on the normalization of AI tools in everyday workflows. Users increasingly assume that any AI-branded utility distributed through an official store is legitimate.

Once installed, the extensions appear to function normally. Clicking the toolbar icon launches a convincing chat interface. Prompts submitted by users generate plausible AI responses, reinforcing trust in the tool.

Behind the scenes, however, the interface operates as a full-screen iframe pointing to an attacker-controlled domain. All user input passes through the adversary’s infrastructure before being proxied to a legitimate large language model API or returned as a generated response.

How the Data Theft Occurs

The core danger lies in what users paste into these AI tools. Employees often input CRM data, financial records, proprietary source code, customer details, and authentication tokens for summarization or analysis.

In enterprise environments, this creates a direct exfiltration pathway. The malicious extension can read the content of active browser pages, transmit that data to remote servers, and return an innocuous summary to the user. The victim sees productivity enhancement. The attacker gains a copy of sensitive information.

Zargarov describes a scenario where an employee opens a customer database page and clicks “Summarize.” The extension reads the entire page content, sends it externally, and returns a brief summary. Meanwhile, regulated customer data and intellectual property leave the organization’s controlled environment.

The consequences range from intellectual property loss to regulatory violations and follow-on cyberattacks fueled by stolen credentials and tokens.

Why Detection Is Difficult

Unlike traditional malicious extensions that embed suspicious scripts locally, these apps keep most of their logic off-platform. The extension itself often requests minimal permissions and appears compliant during review.

The heavy lifting occurs in remote web applications loaded dynamically via iframe. Because the malicious behavior resides on external infrastructure, static analysis of the extension package may not reveal obvious red flags.

LayerX researchers noted that unless platform operators correlate shared network endpoints, identical JavaScript bundles, reused TLS certificates, or hosting overlaps across multiple extensions, coordinated campaigns can evade detection.

Several of the identified extensions reportedly remained available more than 24 hours after disclosure, each maintaining average ratings above four stars.

AI Trust as the New Attack Surface

The broader concern is behavioral. As AI tools become embedded in workflows, users are conditioned to paste sensitive information into chat interfaces with minimal scrutiny. What once required phishing emails now only requires convincing branding and a Chrome extension listing.

By exploiting trust in AI rather than impersonating financial institutions, attackers are targeting a new psychological vector. AI assistants feel helpful, modern, and safe, especially when distributed through official marketplaces.

Security experts warn that organizations should treat browser extensions that process sensitive data as high-risk software. Endpoint monitoring, strict extension allowlists, and user awareness training are becoming essential controls.

As AI usage accelerates across enterprises, adversaries are adapting quickly. In this case, the attack did not require a browser zero-day or advanced exploit chain. It required only a convincing user interface and a trusted distribution channel.