Article Details

30+ Chrome extensions disguised as AI chatbots steal users' API keys, emails, other sensitive data. Are you a good bot or a bad bot?. More than 30 malicious Chrome extensions installed by at least 260,000 users purport to be helpful AI assistants, but they steal users' API keys, email messages, and other personal data. Even worse: many of these are still available on the Chrome Web Store as of this writing. Some of these extensions impersonate specific chatbots such as Claude, ChatGPT, Gemini, and Grok, while others claim to be more generic AI assistant tools to help users summarize documents, write messages, and provide Gmail assistance. Despite different names and extension IDs, they all use the same underlying codebase and permissions, and all 32 extensions communicate with infrastructure under the tapnetic[.]pro domain, according to LayerX Security, which uncovered the campaign and named it AiFrame. Some of them were published under new IDs after earlier versions were removed. For example, AI Sidebar (gghdfkafnhfpaooiolhncejnlgglhkhe), which had 50,000 users at the time of LayerX Security’s report, appeared after the earlier Gemini AI Sidebar (fppbiomdkfbhgjjdmojlogeceejinadg), which had 80,000 users, was removed from the Chrome Web Store. The Register found that the re-uploaded extension (gghdfkafnhfpaooiolhncejnlgglhkhe) is now listed with 70,000 users as of publication. Google did not immediately respond to The Register's inquiries about the malicious extensions. All 32 extension IDs are listed in LayerX's report, so be sure to check it out before adding any AI assistant extension to your browser. Another extension that is still available at the time of this writing is called AI Assistant (nlhpidbjmmffhoogcennoiopekbiglbp) and has 60,000 users. This one, which garnered the "Featured" badge on the Chrome Web Store, points users to a remote domain (claude.tapnetic.pro). It has an iframe overlay that visually appears as the extension's interface, and this iframe allows the operator to load remote content, changing the UI and logic, and silently adding new capabilities at any time without any Chrome Web Store update required. "When instructed by the iframe, the extension queries the active tab and invokes a content script that extracts readable article content using Mozilla's Readability library," LayerX Security researcher Natalie Zargarov wrote. "The extracted data includes titles, text content, excerpts, and site metadata." The extension then sends this data - including authentication details for any page the user is viewing - back to the remote iframe. In addition to snarfing up all sorts of page content from every website a user visits, this particular extension also supports speech recognition. It transcribes the user's words and sends them back to the remote page for the operator to read. Interestingly, nearly half of the extensions target Gmail and share the same Gmail integration codebase. This allows the extension to read visible email content directly from the DOM and extract message text via textContent from Gmail's conversation view. This includes email thread content and even draft or compose-related text, which is then sent to remote servers. "The campaign exploits the conversational nature of AI interactions, which has conditioned users to share detailed information," Zargarov said in an email. "By injecting iframes that mimic trusted AI interfaces, they've created a nearly invisible man-in-the-middle attack that intercepts everything from API keys to personal data before it ever reaches the legitimate service."