Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AiFrame malicious Chrome extension spraying operation

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The AiFrame operation spread fake Chrome AI assistants that delivered malicious extensions, putting over 260,000 Google Chrome users at risk of credential theft, email monitoring, and remote access. The activity abused the appearance of legitimate productivity tools to gain trust inside the Chrome Web Store. Researchers linked more than 30 extensions to shared code, permissions, and backend infrastructure. The use of extension spraying helped the operation stay active after takedowns.

Related Happenings

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

Anthropic Claude Code usage-limits bug causing faster exhaustion

Service Disruption
First: 01.04.2026 03:32 Last: 01.04.2026 03:32 Sources 1

About this happening: Anthropic is investigating a **Claude Code** bug that makes **usage limits** exhaust much faster than expected, leaving affected users blocked from normal use. The issue was still...

Open Happening

Legitimate-looking Chrome extension prompt-poaching campaign

Campaign
First: 25.03.2026 13:00 Last: 25.03.2026 13:00 Sources 1

About this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...

Open Happening

VoidStealer debugger-based ABE-bypass infostealer

Malware Activity
First: 22.03.2026 16:32 Last: 22.03.2026 16:32 Sources 1

About this happening: **VoidStealer** now uses a **debugger-based ABE bypass** to steal **Chrome** master keys, increasing the risk of browser credential and sensitive-data theft. The infostealer can e...

Open Happening

Timeline

  1. 13.02.2026 13:25 2 articles · 3mo ago

    AiFrame malicious Chrome extension campaign disclosed

    Initial Disclosure

    LayerX identified an AiFrame campaign in the Google Chrome Web Store in which fake AI assistants were used to distribute malicious Chrome extensions that could steal login credentials, monitor emails, enable remote access, and exfiltrate data from the Google Chrome Browser and Gmail. More than 30 extensions were linked to shared codebase, permissions, and backend infrastructure, including 'AI Assistant' posing as an Anthropic Claude AI extension and other imitations of ChatGPT, Grok, and Google Gemini. The campaign reached over 260,000 Google Chrome users, used extension spraying to stay active after takedowns, and routed users to remote infrastructure with a full-screen iframe to load malicious content away from the Chrome Web Store.

    Show sources
    Open in new tab