Find notable cyber news and cases, enriched with sources, timelines, and signals.

AiFrame malicious Chrome extension spraying operation

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The AiFrame operation spread fake Chrome AI assistants that delivered malicious extensions, putting over 260,000 Google Chrome users at risk of credential theft, email monitoring, and remote access. The activity abused the appearance of legitimate productivity tools to gain trust inside the Chrome Web Store. Researchers linked more than 30 extensions to shared code, permissions, and backend infrastructure. The use of extension spraying helped the operation stay active after takedowns.

Related Happenings

Silent Swap browser-extension clipboard clipper

Malware Activity
H score36 First: 30.06.2026 18:40 Last: 30.06.2026 18:40 Sources 1

About this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...

Search for perplexity ai malicious Chrome extension

Malware Activity
H score29 First: 29.06.2026 21:40 Last: 29.06.2026 21:40 Sources 1

About this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension

Technical Analysis
H score23 First: 25.06.2026 17:12 Last: 25.06.2026 17:12 Sources 1

About this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
H score20 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...

Timeline

  1. 13.02.2026 13:25 2 articles · 4mo ago

    AiFrame malicious Chrome extension campaign disclosed

    Initial Disclosure

    LayerX identified an AiFrame campaign in the Google Chrome Web Store in which fake AI assistants were used to distribute malicious Chrome extensions that could steal login credentials, monitor emails, enable remote access, and exfiltrate data from the Google Chrome Browser and Gmail. More than 30 extensions were linked to shared codebase, permissions, and backend infrastructure, including 'AI Assistant' posing as an Anthropic Claude AI extension and other imitations of ChatGPT, Grok, and Google Gemini. The campaign reached over 260,000 Google Chrome users, used extension spraying to stay active after takedowns, and routed users to remote infrastructure with a full-screen iframe to load malicious content away from the Chrome Web Store.

    Show sources