The Chrome Extension Problem Just Got a Lot Worse

Browser extensions have always occupied an uncomfortable space in security. They're useful, they're convenient, and they have access to everything you do online. This week, security researchers pulled back the curtain on just how badly that trust has been abused, revealing multiple coordinated campaigns that have compromised millions of Chrome users through fake AI assistants, social media tools, and utility add-ons that looked perfectly legitimate.

The numbers are staggering. A single campaign dubbed AiFrame, discovered by browser security firm LayerX, found over 30 malicious extensions masquerading as AI assistants that had collectively been installed by more than 300,000 users. A separate investigation by Koi Security uncovered a scheme targeting VKontakte users that silently hijacked approximately 500,000 accounts. And a broader analysis by Q Continuum identified 287 extensions exfiltrating browsing history to data brokers, representing 37.4 million installations and roughly one percent of the global Chrome userbase.

The AiFrame campaign is particularly insidious because it exploits the current AI gold rush. Users searching for ChatGPT, Gemini, DeepSeek, and other AI tools are finding extensions with names like "Gemini AI Sidebar," "ChatGPT Translate," "AI Assistant," and "Grok Chatbot." These extensions promise summarization, chat assistance, email writing, and Gmail integration. What they actually deliver is a sophisticated data harvesting operation.

The technical architecture behind AiFrame reveals how these attackers avoid detection. The extensions don't implement AI functionality locally. Instead, they render a full-screen iframe overlay pointing to a remote domain controlled by the attackers. This means the extension's behavior can change at any time without requiring a Chrome Web Store update, effectively bypassing Google's review process after initial approval. The backend infrastructure all points to a single domain, tapnetic.pro, confirming that these seemingly independent extensions are part of one coordinated operation.

When a user visits any webpage, the extensions invoke a content script that extracts readable content using Mozilla's Readability library. Fifteen of the extensions specifically target Gmail, running a dedicated script at document start whenever a victim visits mail.google.com. The script reads visible email content directly from the DOM and repeatedly extracts email thread text. Even draft emails can be captured before they're sent. When users invoke Gmail-related features like AI-assisted replies or summaries, the extracted email content gets transmitted to third-party servers controlled by the extension operators.

LayerX also discovered that the malware supports remotely triggered voice recognition. Using the Web Speech API, the extensions can start recording, generate transcripts, and exfiltrate the results to the remote server. Depending on granted permissions, this could capture conversations from the victim's environment.

Several of these extensions remain available on the Chrome Web Store. AI Sidebar has 70,000 users. AI Assistant has 60,000. ChatGPT Translate has 30,000. AI GPT and ChatGPT each have 20,000. Google Gemini and another AI Sidebar variant each have 10,000. BleepingComputer confirmed these installation counts at the time of their report.

The VK Styles campaign operates on a different target demographic but uses equally sophisticated techniques. Koi Security found five extensions posing as VKontakte customization and music download tools that have hijacked roughly 500,000 accounts. The extensions automatically subscribe victims to the attacker's VK groups, reset account settings every 30 days to override user preferences, manipulate Cross-Site Request Forgery tokens to bypass VK's security protections, and maintain persistent control over compromised accounts.

What makes VK Styles technically interesting is its use of a VK profile's HTML metadata tags as a dead drop resolver. The extensions retrieve their next-stage payload URLs from a profile at vk.com/m0nda, concealing the malicious infrastructure behind seemingly normal social media content. The actual payload is hosted in a public GitHub repository under the username 2vk, containing obfuscated JavaScript that gets injected into every VK page the victim visits. The repository shows 17 commits between June 2025 and January 2026, demonstrating active development and refinement. This isn't sloppy malware. It's a maintained software project with version control, testing, and iterative improvements.

A third campaign targets business users through an extension called CL Suite by @CLMasters. Marketed as a Meta Business Suite utility for scraping data, removing verification popups, and generating two-factor authentication codes, the extension actually exfiltrates TOTP seeds and current one-time security codes, Business Manager contact lists in CSV format, and analytics data to a backend at getauth.pro and a Telegram channel. The extension claims in its privacy policy that 2FA secrets and Business Manager data remain local. In practice, Socket researchers found, that's a lie. The TOTP seeds alone give attackers everything they need to generate valid authentication codes and bypass multi-factor authentication entirely.

Perhaps the most troubling finding comes from Q Continuum's analysis of 287 extensions that exfiltrate browsing history to data brokers. These extensions have 37.4 million installations, meaning approximately one in every hundred Chrome users worldwide has installed software that monitors and sells their browsing behavior. The data flows to brokers like Similarweb and Alexa, companies that aggregate this information for market research and competitive intelligence. Users have no idea their browsing history is being harvested and monetized.

The common thread across all these campaigns is the fundamental tension in how browser extensions work. They're granted extensive permissions at install time, operate with access to sensitive data and browser capabilities, and can modify their behavior after approval without triggering new security reviews. Google's review process catches obvious malware but struggles with extensions that are clean on submission and turn malicious later, or that hide their true functionality behind remote-loaded content.

The recommendations are straightforward but rarely followed. Install extensions only when absolutely necessary. Audit installed extensions periodically for signs of malicious behavior or excessive permission requests. Use separate browser profiles for sensitive tasks. Organizations should implement extension allowlisting to block non-compliant add-ons. And when an extension asks for permissions that seem excessive for its stated purpose, that's not paranoia. That's pattern recognition.

If you've installed any AI assistant, social media customization, or utility extension recently, now would be a good time to check what's actually running in your browser. The next breach headline might be about your organization, and the attack vector might be something your users installed themselves.