Legitimate-looking Chrome extension prompt-poaching campaign
Campaign
Summary
Hide ▲
Show ▼
A recurring Chrome extension campaign is stealing AI conversations from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The activity has been seen in several dozen incidents over the past month, indicating sustained abuse rather than a single event. The attackers rely on legitimate-looking extensions and impersonation lures to win installs. The pattern creates ongoing risk for both individuals and organizations that allow uncontrolled browser extensions.
Related Happenings
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
H score11
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
ShieldGuard browser-extension data-harvesting malware
Malware Activity
H score29
First: 18.03.2026 16:15
Last: 18.03.2026 16:15
Sources 1
About this happening:
A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...
ShieldGuard browser-extension data-harvesting malware
Malware ActivityAbout this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...
Fake Google Account security page PWA phishing campaign
Campaign
H score35
First: 02.03.2026 22:23
Last: 02.03.2026 22:23
Sources 1
About this happening:
A **phishing campaign** is using a **fake Google Account security page** and a **Progressive Web App (PWA)** to steal **one-time passcodes**, harvest **cryptocurrency wallet addre...
Fake Google Account security page PWA phishing campaign
CampaignAbout this happening: A **phishing campaign** is using a **fake Google Account security page** and a **Progressive Web App (PWA)** to steal **one-time passcodes**, harvest **cryptocurrency wallet addre...
Google Gemini AI in Chrome privilege escalation flaw (CVE-2026-0628)
Vulnerability
H score33
First: 02.03.2026 12:27
Last: 02.03.2026 12:27
Sources 1
About this happening:
**Google** has fixed **CVE-2026-0628** in **Gemini AI in Chrome**, a high-severity flaw that let a malicious extension hijack the privileged Gemini side panel and expose user priv...
Google Gemini AI in Chrome privilege escalation flaw (CVE-2026-0628)
VulnerabilityAbout this happening: **Google** has fixed **CVE-2026-0628** in **Gemini AI in Chrome**, a high-severity flaw that let a malicious extension hijack the privileged Gemini side panel and expose user priv...
Latest development: 02.03.2026 19:08
Palo Alto Networks Unit 42 researcher Gal Weizman discovered and reported CVE-2026-0628 in Google Chrome on November 23, 2025, identifying insufficient policy enforcement in the WebView tag that could let a malicious extension inject scripts or HTML into a privileged page and seize control of the Gemini Live panel.
Timeline
-
24.03.2026 02:00 2 articles · 3mo ago
Expel warns of prompt-poaching Chrome extensions
Initial DisclosureExpel warned that legitimate-looking Chrome extensions were monitoring open tabs for loaded AI clients, collecting questions and answers through API interception or DOM scraping, and sending the content to external servers. The vendor said it had observed several dozen prompt-poaching incidents in the past month and pointed to impersonation-style lures such as Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI, Talk to ChatGPT, and the Urban VPN Proxy tool.
Show sources
- Experts Sound Alarm Over “Prompt Poaching” Browser Extensions — www.infosecurity-magazine.com — 25.03.2026 13:00
- Experts Sound Alarm Over “Prompt Poaching” Browser Extensions — www.infosecurity-magazine.com — 25.03.2026 13:00