Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data

The researcher has linked the extensions to 32 entities and has uncovered connections to known distributors of spyware extensions.In a separatereport, LayerX has detailed the malicious behavior of 30 Chrome extensions with over 260,000 downloads that were seen injecting iframes to manipulate content and steal users’ browser data.Posing as AI assistance tools, all extensions had “the same internal structure, JavaScript logic, permissions, and backend infrastructure”, suggesting they are part of a single, coordinated operation.One extension would render a full screen iframe pointing to a remote domain and allowing the attacker to load remote content to manipulate the UI directly.The extension can also extract data from the active tab, supports message-triggered voice recognition, and includes explicit tracking pixel scripts.According to LayerX, 15 extensions were seen specifically targeting Gmail, extracting email content and transmitting it to third-party infrastructure.Related:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Chrome, Edge Extensions Caught Stealing ChatGPT SessionsRelated:GhostPoster Firefox Extensions Hide Malware in IconsRelated:Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

In a separatereport, LayerX has detailed the malicious behavior of 30 Chrome extensions with over 260,000 downloads that were seen injecting iframes to manipulate content and steal users’ browser data.Posing as AI assistance tools, all extensions had “the same internal structure, JavaScript logic, permissions, and backend infrastructure”, suggesting they are part of a single, coordinated operation.One extension would render a full screen iframe pointing to a remote domain and allowing the attacker to load remote content to manipulate the UI directly.The extension can also extract data from the active tab, supports message-triggered voice recognition, and includes explicit tracking pixel scripts.According to LayerX, 15 extensions were seen specifically targeting Gmail, extracting email content and transmitting it to third-party infrastructure.Related:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Chrome, Edge Extensions Caught Stealing ChatGPT SessionsRelated:GhostPoster Firefox Extensions Hide Malware in IconsRelated:Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

Posing as AI assistance tools, all extensions had “the same internal structure, JavaScript logic, permissions, and backend infrastructure”, suggesting they are part of a single, coordinated operation.One extension would render a full screen iframe pointing to a remote domain and allowing the attacker to load remote content to manipulate the UI directly.The extension can also extract data from the active tab, supports message-triggered voice recognition, and includes explicit tracking pixel scripts.According to LayerX, 15 extensions were seen specifically targeting Gmail, extracting email content and transmitting it to third-party infrastructure.Related:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Chrome, Edge Extensions Caught Stealing ChatGPT SessionsRelated:GhostPoster Firefox Extensions Hide Malware in IconsRelated:Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

One extension would render a full screen iframe pointing to a remote domain and allowing the attacker to load remote content to manipulate the UI directly.The extension can also extract data from the active tab, supports message-triggered voice recognition, and includes explicit tracking pixel scripts.According to LayerX, 15 extensions were seen specifically targeting Gmail, extracting email content and transmitting it to third-party infrastructure.Related:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Chrome, Edge Extensions Caught Stealing ChatGPT SessionsRelated:GhostPoster Firefox Extensions Hide Malware in IconsRelated:Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

The extension can also extract data from the active tab, supports message-triggered voice recognition, and includes explicit tracking pixel scripts.According to LayerX, 15 extensions were seen specifically targeting Gmail, extracting email content and transmitting it to third-party infrastructure.Related:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Chrome, Edge Extensions Caught Stealing ChatGPT SessionsRelated:GhostPoster Firefox Extensions Hide Malware in IconsRelated:Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

According to LayerX, 15 extensions were seen specifically targeting Gmail, extracting email content and transmitting it to third-party infrastructure.Related:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Chrome, Edge Extensions Caught Stealing ChatGPT SessionsRelated:GhostPoster Firefox Extensions Hide Malware in IconsRelated:Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

Related:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Chrome, Edge Extensions Caught Stealing ChatGPT SessionsRelated:GhostPoster Firefox Extensions Hide Malware in IconsRelated:Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

Related:Chrome, Edge Extensions Caught Stealing ChatGPT SessionsRelated:GhostPoster Firefox Extensions Hide Malware in IconsRelated:Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

Related:GhostPoster Firefox Extensions Hide Malware in IconsRelated:Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

Related:Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

Source: SecurityWeek