Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Legitimate-looking Chrome extension prompt-poaching campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A recurring Chrome extension campaign is stealing AI conversations from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The activity has been seen in several dozen incidents over the past month, indicating sustained abuse rather than a single event. The attackers rely on legitimate-looking extensions and impersonation lures to win installs. The pattern creates ongoing risk for both individuals and organizations that allow uncontrolled browser extensions.

Related Happenings

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

ShieldGuard browser-extension data-harvesting malware

Malware Activity
First: 18.03.2026 16:15 Last: 18.03.2026 16:15 Sources 1

About this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...

Open Happening

Fake Google Account security page PWA phishing campaign

Campaign
First: 02.03.2026 22:23 Last: 02.03.2026 22:23 Sources 1

About this happening: A **phishing campaign** is using a **fake Google Account security page** and a **Progressive Web App (PWA)** to steal **one-time passcodes**, harvest **cryptocurrency wallet addre...

Open Happening

Google Gemini AI in Chrome privilege escalation flaw (CVE-2026-0628)

Vulnerability
First: 02.03.2026 12:27 Last: 02.03.2026 12:27 Sources 1

About this happening: **Google** has fixed **CVE-2026-0628** in **Gemini AI in Chrome**, a high-severity flaw that let a malicious extension hijack the privileged Gemini side panel and expose user priv...

Latest development: 02.03.2026 19:08

Palo Alto Networks Unit 42 researcher Gal Weizman discovered and reported CVE-2026-0628 in Google Chrome on November 23, 2025, identifying insufficient policy enforcement in the WebView tag that could let a malicious extension inject scripts or HTML into a privileged page and seize control of the Gemini Live panel.

Open Happening

QuickLens - Search Screen with Google Lens hit by network compromise

Incident
First: 28.02.2026 21:18 Last: 28.02.2026 21:18 Sources 1

About this happening: The **QuickLens - Search Screen with Google Lens** Chrome extension was **compromised** and used to **push malware** to about **7,000 users**, creating risk of **credential theft*...

Open Happening

Timeline

  1. 24.03.2026 02:00 2 articles · 2mo ago

    Expel warns of prompt-poaching Chrome extensions

    Initial Disclosure

    Expel warned that legitimate-looking Chrome extensions were monitoring open tabs for loaded AI clients, collecting questions and answers through API interception or DOM scraping, and sending the content to external servers. The vendor said it had observed several dozen prompt-poaching incidents in the past month and pointed to impersonation-style lures such as Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI, Talk to ChatGPT, and the Urban VPN Proxy tool.

    Show sources
    Open in new tab