Podcast Episode
Fifteen of the AiFrame extensions specifically target Gmail, reading email content directly from the browser. Researchers also discovered a remotely triggered voice recognition mechanism capable of recording real-life conversations through victims' computers.
Over 300 Malicious Chrome Extensions Expose 37 Million Users to Data Theft
February 15, 2026
Audio archived. Episodes older than 60 days are removed to save server storage. Story details remain below.
Security researchers have uncovered more than 300 malicious Google Chrome extensions with over 37 million combined downloads that expose users to tracking, credential theft, and personal data exfiltration. The discoveries span multiple coordinated campaigns including fake AI assistants targeting Gmail users and account hijacking tools aimed at Russian social media users.
Massive Chrome Extension Threat Uncovered
Security researchers have discovered a sprawling network of more than 300 malicious Chrome extensions that have been silently harvesting user data from an estimated 37 million people. The extensions, spread across multiple coordinated campaigns, were found to be leaking browsing history, stealing credentials, reading emails, and exfiltrating personal information to third-party servers.Fake AI Assistants Lead the Attack
The most sophisticated campaign, dubbed AiFrame by browser security firm LayerX, involves 32 extensions disguised as AI assistants impersonating popular tools like ChatGPT, Claude, Gemini, and Grok. Affecting over 260,000 users, these extensions appear to offer AI-powered summarisation, writing assistance, and Gmail integration. Instead of running functionality locally, they embed remote server-controlled interfaces via full-screen iframes, granting operators the ability to change malicious behaviour without pushing updates through the Chrome Web Store.Fifteen of the AiFrame extensions specifically target Gmail, reading email content directly from the browser. Researchers also discovered a remotely triggered voice recognition mechanism capable of recording real-life conversations through victims' computers.
VKontakte Users Hit by Account Hijacking
A separate campaign uncovered by Koi Security targeted Russia's VKontakte social network, infecting approximately 500,000 users through five Chrome extensions disguised as VK customisation tools. The malware automatically subscribes victims to attacker-controlled groups, resets account settings every 30 days to maintain control, and manipulates security tokens to bypass protections. The operation was traced to a single threat actor using a VKontakte profile as command-and-control infrastructure.Broader Data Harvesting at Scale
Beyond these targeted campaigns, researchers at Q Continuum identified 287 extensions transmitting browsing history to data brokers, with recipients including Similarweb, Alibaba Group, ByteDance, and Semrush. Several AiFrame extensions had been marked as Featured by the Chrome Web Store before removal, lending them false credibility. Google has removed or disabled extensions affecting over 8.8 million users in coordinated malware campaigns between late 2024 and early 2026. Security experts recommend regular audits of installed extensions and careful vetting of permissions before installation.Published February 15, 2026 at 3:35pm
