Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ChatGPT Mods token-stealing browser-extension campaign

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

The ChatGPT Mods campaign used 16 browser extensions to inject a content script into chatgpt[.]com, stealing authentication tokens that could let operators impersonate users. The extensions were spread across the Chrome Web Store and Microsoft Edge Add-ons, reaching about 900 downloads before discovery. Their shared code, branding, and descriptions indicate a coordinated operation rather than isolated add-ons.

Related Happenings

AI chatbot cryptojacking campaign targeting high-performance GPU users

Campaign
First: 27.05.2026 10:45 Last: 27.05.2026 10:45 Sources 1

About this happening: An active **cryptojacking campaign** is using **AI chatbot interactions** and **SEO-poisoned download sites** to deliver mining malware, expanding the reach of malicious downloads...

Open Happening

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

Venom PhaaS SharePoint QR-code campaign targeting C-suite executives

Campaign
First: 03.04.2026 11:00 Last: 03.04.2026 11:00 Sources 1

About this happening: The **Venom PhaaS** operation ran a **credential theft campaign** against **C-suite executives and senior personnel** at major global organizations, creating a broad risk of accou...

Open Happening

Legitimate-looking Chrome extension prompt-poaching campaign

Campaign
First: 25.03.2026 13:00 Last: 25.03.2026 13:00 Sources 1

About this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...

Open Happening

Timeline

  1. 30.01.2026 15:42 2 articles · 3mo ago

    ChatGPT Mods browser extensions steal ChatGPT authentication tokens

    Campaign Scope Update

    A coordinated cluster of 16 browser extensions distributed through the Chrome Web Store and one Microsoft Edge Add-ons listing was identified as injecting a content script into chatgpt[.]com to steal OpenAI ChatGPT authentication tokens, enabling account-level impersonation and access to conversations, metadata, and code. The add-ons shared source code, icons, branding, and descriptions, and the campaign was downloaded about 900 times before discovery.

    Show sources
    Open in new tab