Fake AI assistant Chrome extension malware activity
Malware Activity
Summary
Hide ▲
Show ▼
A cluster of 30 malicious Chrome extensions posing as AI assistants is stealing email content and other sensitive data from Chrome users, creating a broad browser-side exfiltration risk with 260,000+ downloads. The extensions are distributed through the Chrome Web Store and present a plausible chat interface while relaying prompts through attacker-controlled infrastructure. Some of the listings remained available more than 24 hours after publication, extending exposure. The activity matters because users may paste API keys, tokens, and regulated data into tools that appear legitimate.
Related Happenings
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Legitimate-looking Chrome extension prompt-poaching campaign
Campaign
First: 25.03.2026 13:00
Last: 25.03.2026 13:00
Sources 1
About this happening:
A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...
Legitimate-looking Chrome extension prompt-poaching campaign
CampaignAbout this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...
ShieldGuard browser-extension data-harvesting malware
Malware Activity
First: 18.03.2026 16:15
Last: 18.03.2026 16:15
Sources 1
About this happening:
A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...
ShieldGuard browser-extension data-harvesting malware
Malware ActivityAbout this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...
LayerX font-rendering PoC exposes a browser-rendering gap in AI assistant analysis
Technical Analysis
First: 17.03.2026 15:59
Last: 17.03.2026 15:59
Sources 1
About this happening:
A **LayerX** proof-of-concept showed that a **font-rendering attack** can hide malicious webpage commands from AI assistants, creating a risk of **unsafe guidance** when the brows...
LayerX font-rendering PoC exposes a browser-rendering gap in AI assistant analysis
Technical AnalysisAbout this happening: A **LayerX** proof-of-concept showed that a **font-rendering attack** can hide malicious webpage commands from AI assistants, creating a risk of **unsafe guidance** when the brows...
Timeline
-
16.02.2026 16:00 2 articles · 3mo ago
LayerX identifies malicious AI-themed Chrome extensions
Initial DisclosureLayerX identifies 30 Google Chrome extensions in the Chrome Web Store that masquerade as AI assistants such as Gemini AI Sidebar and ChatGPT Translate while stealing email content, browser content, and other sensitive data users feed them. The set includes tools branded as AI Sidebar, AI Assistant, and AI GPT, accumulated more than 260,000 downloads, and some listings had more than four-star averages and Featured tags.
Show sources
- 260K+ Chrome Users Duped by Fake AI Browser Extensions — www.darkreading.com — 16.02.2026 16:00
- 260K+ Chrome Users Duped by Fake AI Browser Extensions — www.darkreading.com — 16.02.2026 16:00