Security researchers have uncovered a large-scale campaign involving 30 malicious Chrome extensions posing as AI assistants, putting more than 300,000 users at risk.
The extensions were designed to steal login credentials, email content, browsing data, and even voice input, while pretending to offer AI-powered features.
The campaign was discovered by researchers at LayerX, who named it AiFrame. According to their findings, all identified extensions are part of the same coordinated operation and communicate with backend infrastructure hosted under a single domain, tapnetic[.]pro.
Although some malicious extensions have already been removed, several remain available on the Chrome Web Store and have been installed by tens of thousands of users. The most widely installed extension in the campaign, Gemini AI Sidebar, reportedly reached 80,000 users before being taken down.
Malicious AI extensions are still active
Researchers and independent verification found that multiple dangerous extensions remain accessible under different names but identical identifiers, including:
- AI Sidebar – 70,000 users
- AI Assistant – 60,000 users
- ChatGPT Translate – 30,000 users
- AI GPT – 20,000 users
- ChatGPT – 20,000 users
- AI Sidebar – 10,000 users
- Google Gemini – 10,000 users
LayerX confirmed that all 30 extensions share the same code structure, JavaScript logic, permission requests, and command-and-control servers, clearly linking them to a single threat actor.
How the extensions steal data
The fake AI tools do not run any real AI locally. Instead, they display a full-screen iframe that loads content from a remote server. This approach allows attackers to change malicious behavior at any time without publishing updates, effectively bypassing Chrome’s extension review process.
In the background, the extensions quietly extract page content from websites users visit — including login pages — using Mozilla’s Readability library.
More concerning, 15 of the extensions specifically target Gmail. A hidden script runs at page load on mail.google.com, injecting UI elements and harvesting visible email content directly from the page. Researchers confirmed that entire email threads, including unsent drafts, can be captured.
When users activate AI-related features such as summaries or reply suggestions, the stolen email data is transmitted to external servers controlled by the attackers, outside of Gmail’s security protections.
Voice recording risk
Some extensions also include remotely activated voice recognition features using the browser’s Web Speech API. Depending on permissions granted, attackers could potentially capture spoken conversations and send transcripts back to their servers.
At the time of writing, Google has not publicly responded to requests for comment regarding the findings.
What users should do now
Security experts strongly advise users to:
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
- Review installed Chrome extensions immediately
- Remove any AI-related extensions they do not fully trust
- Check LayerX’s published indicators of compromise
- Reset passwords for affected accounts if exposure is suspected
