A set of 30 malicious Chrome extensions that have been installed by more than 300,000 users are masquerading as AI assistants to steal credentials, email content, and browsing information.

Some of the extensions are still present in the Chrome Web Store and have been installed by tens of thousands of users, while others show a small install count.

Researchers at browser security platform LayerX discovered the malicious extension campaign and named it AiFrame. They found that all analyzed extensions are part of the same malicious effort as they communicate with infrastructure under a single domain, tapnetic[.]pro.

According to them, the most popular extension in the AiFrame campaign had 80,000 users and was called Gemini AI Sidebar (fppbiomdkfbhgjjdmojlogeceejinadg), but it is no longer on the Chrome Web Store.

However, BleepingComputer found that other extensions with thousands of users are still present on Google's repository for Chrome extensions. It should be noted that the names may be different in some cases, but the identification is the same.

1. AI Sidebar (gghdfkafnhfpaooiolhncejnlgglhkhe) – 70,000 users
2. AI Assistant (nlhpidbjmmffhoogcennoiopekbiglbp) – 60,000 users
3. ChatGPT Translate (acaeafediijmccnjlokgcdiojiljfpbe) – 30,000 users
4. AI GPT (kblengdlefjpjkekanpoidgoghdngdgl) – 20,000 users
5. ChatGPT (llojfncgbabajmdglnkbhmiebiinohek) – 20,000 users
6. AI Sidebar (djhjckkfgancelbmgcamjimgphaphjdl) – 10,000 users
7. Google Gemini (fdlagfnfaheppaigholhoojabfaapnhb) – 10,000 users

LayerX found that all 30 extensions share the same internal structure, JavaScript logic, permissions, and backend infrastructure.

The malicious browser add-ons do not implement AI functionality locally; instead, they deliver the promised feature by rendering a full-screen iframe to load content from a remote domain.

This, by itself, is risky, as publishers can change the extensions’ logic at any time without pushing an update - just like in the case of Microsoft Office Add-ins - thus avoiding a new review.

In the background, the extensions extract page content from websites the user visits, including sensitive authentication pages, using Mozilla’s Readability library.

LayerX says that a subset of 15 extensions specifically targets Gmail data, using a dedicated content script that runs at ‘document_start’ on ‘mail.google.com’ and injects UI elements.

The script reads visible email content directly from the DOM and repeatedly extracts email thread text via ‘.textContent.’ The researchers note that even email drafts can be captured.

“When Gmail-related features such as AI-assisted replies or summaries are invoked, the extracted email content is passed into the extension’s logic and transmitted to third-party backend infrastructure controlled by the extension operator,” LayerX explains in a report today.

“As a result, email message text and related contextual data may be sent off-device, outside of Gmail’s security boundary, to remote servers.”

The extensions also feature a remotely triggered voice recognition and transcript generation mechanism using the ‘Web Speech API,’ returning the results to the operators. Depending on the granted permissions, the extensions may even siphon conversations from the victim’s environment.

BleepingComputer has contacted Google for a comment on LayerX findings, but we have not received a response by publication time.

It is recommended to check LayerX's list of indicators of compromise for the complete set of malicious extensions. If compromise is confirmed, users should reset passwords for all accounts.