Malicious Chrome Extensions Disguised as AI Assistants Steal Credentials – The AiFrame Campaign

Researchers identified a malicious campaign, dubbed AiFrame, involving 30 Chrome extensions that masquerade as AI assistants to harvest user credentials, email content, and browsing information. More than 300,000 users have installed these extensions, some of which remain in the Chrome Web Store.

The most widely installed extension was Gemini AI Sidebar (ID: fppbiomdkfbhgjjdmojlogeceejinadg) with roughly 80,000 users before it was removed. Several other extensions still have thousands of installations.

AI Sidebar (gghdfkafnhfpaooiolhncejnlgglhkhe) – 70,000 users

AI Assistant (nlhpidbjmmffhoogcennoiopekbiglbp) – 60,000 users

ChatGPT Translate (acaeafediijmccnjlokgcdiojiljfpbe) – 30,000 users

AI GPT (kblengdlefjpjkekanpoidgoghdngdgl) – 20,000 users

ChatGPT (llojfncgbabajmdglnkbhmiebiinohek) – 20,000 users

AI Sidebar (djhjckkfgancelbmgcamjimgphaphjdl) – 10,000 users

Google Gemini (fdlagfnfaheppaigholhoojabfaapnhb) – 10,000 users

All extensions share identical internal structures, JavaScript logic, permission sets, and communicate with a common command‑and‑control domain (tapnetic.pro). They do not implement any AI locally; instead they embed a full‑screen <iframe> that loads remote content to present the purported “AI service.”

This architecture is highly risky because the attacker can modify the remote page at any time, changing the extension’s behavior without needing to push an update through the Chrome store review process.

For data exfiltration, the extensions employ Mozilla’s Readability library to scrape the DOM of visited pages, including sensitive login pages. Fifteen extensions specifically target Gmail: they inject scripts at the document_start phase on mail.google.com, add UI elements, and read visible email text via .textContent, capturing even draft messages.

When a user invokes an AI‑assisted reply or summary feature, the harvested email content is passed to the extension’s logic and uploaded to attacker‑controlled backend servers, leaking the full message body and context outside Gmail’s security perimeter.

Additionally, the extensions can trigger remote voice‑recognition and transcription using the Web Speech API, recording ambient conversation and sending the audio back to the attackers, depending on the granted permissions.

Researchers advise users to perform a self‑audit of installed extensions, remove any suspicious AI‑assistant extensions, and immediately reset passwords for compromised accounts.

Source: BleepingComputer article on the AiFrame malicious extension campaign.