Full Report
Are you a good bot or a bad bot? More than 30 malicious Chrome extensions installed by at least 260,000 users purport to be helpful AI assistants, but they steal users' API keys, email messages, and other personal data. Even worse: many of these are still available on the Chrome Web Store as of this writing.…
Analysis Summary
# Incident Report: AiFrame Malicious Chrome Extension Campaign
## Executive Summary
A large-scale credential harvesting campaign, dubbed "AiFrame," utilized over 32 malicious Chrome extensions disguised as AI assistants (ChatGPT, Claude, Gemini, etc.) to compromise over 260,000 users. The extensions use injected remote iframes to capture sensitive browser data, including Gmail messages, API keys, and voice transcriptions, exfiltrating the data to attacker-controlled infrastructure. Despite some removals, attackers have successfully re-uploaded the malicious code under new IDs, maintaining a significant presence on the Chrome Web Store.
## Incident Details
- **Discovery Date:** February 12, 2026 (Public disclosure)
- **Incident Date:** Ongoing (Campaign active prior to discovery)
- **Affected Organization:** 260,000+ individual Chrome users
- **Sector:** General Consumers / Enterprise Users
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-February 2026
- **Vector:** Chrome Web Store (Social Engineering)
- **Details:** Attackers uploaded extensions impersonating popular AI brands (Claude, ChatGPT, Grok). Some extensions even obtained the "Featured" badge on the Chrome Web Store to increase credibility.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; however, the extensions cross-site context by scraping content from any active tab the user visits, effectively moving from the "AI assistant" context to the user's private web sessions (Gmail, Cloud consoles, etc.).
### Data Exfiltration/Impact
- **Details:** The extensions extract readable article content, site metadata, and authentication details. Specific codebases target Gmail to scrape message threads and drafts. Voice data is captured via speech recognition and transmitted to the domain `tapnetic[.]pro`.
### Detection & Response
- **Detection:** Uncovered by LayerX Security researchers through behavioral analysis of extension communication patterns.
- **Response Actions:** Google removed some initial IDs (e.g., `fppbiomdkfbhgjjdmojlogeceejinadg`), but attackers bypassed this by re-uploading identical code under new IDs (e.g., `gghdfkafnhfpaooiolhncejnlgglhkhe`).
## Attack Methodology
- **Initial Access:** Malicious browser extensions via official Chrome Web Store.
- **Persistence:** Browser extension installation; re-uploading new versions when old ones are flag-deleted.
- **Privilege Escalation:** Exploitation of broad browser permissions granted by users during installation.
- **Defense Evasion:** Use of remote iframes to load malicious logic from a C2 server, bypassing static code analysis performed by the Chrome Web Store during the update process.
- **Credential Access:** Scraping authentication details from active tab content and DOM.
- **Discovery:** Using Mozilla’s Readability library to programmatically identify and extract valuable data from pages.
- **Collection:** Scraping Gmail DOM elements (textContent), recording audio for transcription, and capturing article excerpts.
- **Exfiltration:** HTTPS POST requests to attacker-controlled subdomains.
- **Impact:** Theft of API keys, personal communications, and sensitive session data.
## Impact Assessment
- **Financial:** High potential for loss via stolen API keys (e.g., OpenAI/AWS) and access to financial/banking sessions.
- **Data Breach:** Compromise of private Gmail correspondence and real-time browsing activity for 260,000+ users.
- **Operational:** Potential for downstream supply chain attacks if developer API keys are stolen.
- **Reputational:** Significant damage to the perceived safety of the Chrome Web Store and "Featured" status vetting process.
## Indicators of Compromise
- **Network Indicators:**
- `tapnetic[.]pro`
- `claude.tapnetic[.]pro`
- **File/Extension Indicators (Sample IDs):**
- `gghdfkafnhfpaooiolhncejnlgglhkhe` (AI Sidebar)
- `nlhpidbjmmffhoogcennoiopekbiglbp` (AI Assistant)
- `fppbiomdkfbhgjjdmojlogeceejinadg` (Gemini AI Sidebar - Removed)
- **Behavioral Indicators:**
- Extensions loading remote content via iframes that overlay the UI.
- Unexpected content scripts querying the DOM of non-related tabs (e.g., an "AI tool" reading Gmail content).
## Response Actions
- **Containment:** Technical researchers published a full list of 32 malicious IDs to facilitate manual removal.
- **Eradication:** Reporting IDs to Google for removal from the Web Store.
- **Recovery:** Users must manually uninstall the extensions and rotate any API keys or passwords potentially exposed during the period of infection.
## Lessons Learned
- **Key Takeaways:** The Chrome Web Store’s automated review process can be bypassed by loading dynamic logic through remote iframes.
- **Process Gaps:** A "Featured" badge does not guarantee security. Reputation-based trust models are being successfully exploited by "brandjacking" popular AI services.
## Recommendations
- **Inventory & Audit:** Organizations should utilize Group Policy (GPO) or MDM to whitelist only approved browser extensions.
- **Technical Control:** Implement Content Security Policy (CSP) to block communication with unapproved domains like `tapnetic[.]pro`.
- **User Education:** Advise users that AI tools should be accessed via official web domains (e.g., chatgpt.com) rather than third-party browser "sidebars" or "assistants."
- **Key Rotation:** If infected, immediately rotate all session tokens and API keys.