30 Fake AI Chrome Extensions With 300,000 Installs Caught Stealing Credentials, Gmail Data, and Audio

Thirty malicious Chrome extensions with a combined 300,000 installations have been caught masquerading as AI assistants while stealing credentials, email content, browsing data, and even activating voice recognition to capture audio from victim environments.

Researchers at browser security platform LayerX discovered the campaign, dubbed AiFrame, and confirmed all 30 extensions communicate with infrastructure under a single domain — tapnetic[.]pro.

Still Live in the Chrome Web Store

Several extensions remain available in the Chrome Web Store with significant install counts:

AI Sidebar — 70,000 users. AI Assistant — 60,000 users. ChatGPT Translate — 30,000 users. AI GPT — 20,000 users. ChatGPT — 20,000 users. AI Sidebar (second variant) — 10,000 users. Google Gemini — 10,000 users.

The most popular extension, Gemini AI Sidebar with 80,000 users, has since been removed. All 30 extensions share identical internal structure, JavaScript logic, permissions, and backend infrastructure.

How the Theft Works

The extensions deliver no local AI functionality. Instead, they render a full-screen iframe loading content from a remote domain to provide the advertised features — meaning the operators can change the extension's behaviour at any time without pushing an update or triggering a new review. This mirrors the same architectural weakness exploited in the recent malicious Outlook add-in discovery.

In the background, the extensions extract page content from websites the user visits, including authentication pages, using Mozilla's Readability library.

A subset of 15 extensions specifically targets Gmail data using a dedicated content script that runs at document_start on mail.google.com. The script reads visible email content directly from the DOM and repeatedly extracts email thread text. Even email drafts can be captured before they are sent.

"When Gmail-related features such as AI-assisted replies or summaries are invoked, the extracted email content is passed into the extension's logic and transmitted to third-party backend infrastructure controlled by the extension operator," LayerX explained.

Voice Capture

The extensions also feature a remotely triggered voice recognition mechanism using the Web Speech API, returning transcripts to the operators. Depending on granted permissions, the extensions could potentially capture conversations from the victim's physical environment — turning the browser into a listening device.

Recommendation

Check installed Chrome extensions against LayerX's published IOC list immediately. Remove any matching extensions and reset passwords for all accounts accessed during the period they were installed, with particular urgency for Gmail and any financial services. Organizations should enforce extension allowlisting policies through Chrome Enterprise to prevent users from installing unvetted extensions. The broader pattern of malicious extensions abusing iframe-based remote content loading to evade review processes remains a systemic weakness in browser extension marketplaces.