Executive Summary

We found 18 AI browser extensions marketed as productivity tools that are not as they seem. This group includes extensions such as:

• One that surveils your emails as you compose them
• Another that intercepts ChatGPT prompts
• A third that exfiltrates passwords

Leveraging the rise of generative AI (GenAI), these extensions deliver remote access Trojans (RATs), meddler-in-the-middle (MitM) attacks and infostealers that target prompts, user behavior and browser sessions. Attackers blend the following established techniques with AI productivity lures:

• API interception
• Passive Document Object Model (DOM) observation
• Traffic proxying
• HTTPS response decryption

Multiple samples contained AI-generated code, indicating that threat actors employed large language models (LLMs) to accelerate malware production.

We specifically reported 18 high-risk extensions to Google. Google either removed the extensions or sent a warning to the owners of the extensions to address policy violations.

Organizations and individual users should exercise caution by sourcing extensions only from trusted providers and adhering to the principle of least privilege. Users must scrutinize requested permissions, as granting broad access to browser data can authorize the interception of sensitive credentials and proprietary session information.

Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics |

GenAI, Infostealer, Remote Access Trojan |

Examples of Extensions Disguised as AI Tools

We identified multiple extensions that appeared to be AI tools delivering RATs and MitM campaigns, which we disclosed via timely threat intelligence (TTI) posts. These include:

• AI-powered summary extensions exfiltrating sensitive data to low-reputation domains (August 2025)
• Adware campaigns using hidden iframes (August 2025)
• Cursor customization extensions delivering potentially unwanted programs (PUPs) (August 2025)
• Prompt and search hijackers redirecting queries to attacker-controlled domains (September 2025)
• Most recently, a Model Context Protocol (MCP)-themed RAT targeting AI developers (February 2026)

Browser Extensions Expand the Client-Side Attack Surface

Browser extensions operate within the browser's trusted process with user-granted permissions. They can read and modify web content, intercept network requests, access cookies and communicate with external servers. These capabilities are shared with legitimate tools like ad blockers, password managers and developer tools.

Deceptive extensions exploit this privileged position. An extension can override network request APIs before calls leave the page. It can passively monitor DOM changes in targets like Gmail or Notion. It can configure browser proxy settings to route traffic through attacker infrastructure. It can attach the Chrome Debugger Protocol to read decrypted HTTPS response bodies.

GenAI amplifies the risk. When users type prompts into AI services, they routinely share proprietary code, draft communications and strategic plans. An extension positioned between the user and an AI service intercepts sensitive data. This data is far more valuable than the browsing metadata targeted by typical browser malware. Our retrospective analysis of detected high-risk extensions revealed the recurring techniques listed in Table 1.

Technique |

Description |

Technical Characteristics |

Requires Extension Privilege |

WebSocket-based C2 channelsPersistent bidirectional communication for command dispatch and session managementMaintains an open connection that automatically reconnects on network interruption. Persists across browser restarts. Uses standard WebSocket protocol over HTTPS.No. Typical malware can establish WebSocket C2 channels. The extension advantage is appearing as legitimate browser traffic and persistence across browser restarts without process injection. Browser API hookingIntercepting JavaScript API calls before network transmissionReplaces browser's native window.fetch or XMLHttpRequest functions. Operates in a JavaScript context before data is encrypted for transmission. No interception-layer traffic required.Yes. Content scripts inject code into the page context with API modification privileges. Typical malware would typically require browser process injection. DOM-based exfiltrationExtracting page content through observation rather than network interceptionReads content from the rendered page DOM. The extension generates no network requests for data collection. Operates entirely within the browser process.Yes. Content scripts have direct read access to the page DOM. Typical malware would require accessibility APIs, screen scraping or browser process memory access. Dynamic proxy configurationRemote proxy auto-configuration (PAC) script updates for selective traffic routingDownloads and applies proxy configuration from a remote server. Can be updated without extension store approval. Applies routing rules per-domain or per-URL pattern.Partially. Typical malware can modify system proxy settings but lacks the chrome.proxy API for programmatic, extension-scoped, dynamic updates without OS-level permissions. Cross-storage persistence with active restorationRedundant identifier storage across multiple APIs with automated recreation on deletionStores identifiers in chrome.storage.sync, cookies and localStorage. Monitors storage-change events. Recreates deleted identifiers from remaining copies. Syncs across devices via Chrome profile.Yes. Requires chrome.storage.sync API for cross-device persistence and chrome.cookies.onChanged API for real-time monitoring. Typical malware cannot access these browser-internal storage mechanisms. Misuse of one-time extension eventsInstall-time payload execution via chrome.runtime.onInstalledThe code executes once when the extension installs or updates. The event fires before the user interacts with the extension. Does not repeat on subsequent browser sessions.Yes. The chrome.runtime.onInstalled event is extension-specific. No equivalent in typical malware.

Table 1. Recurring techniques seen in GenAI high-risk extensions.

As GenAI becomes the primary interface for professional and creative workflows, these extensions can potentially gain direct access to sensitive user information. If operated within the same execution context as the AI interface, these extensions pose a significant risk to enterprises.

We placed detections from campaigns targeting AI users into six distinct malware categories based on their primary operational objective, as shown below in Figure 1. We derived these categories from manual analysis of extension code and network behavior.

The following sections present case studies of these six high-risk GenAI browser extensions.

A RAT: MCP Server AI Automation Extension

A RAT is malware that grants an attacker complete remote control over a victim's system through a persistent command and control (C2) channel. This case study is for an extension named Chrome MCP Server - AI Browser Control that acts at a RAT.

• Extension ID: fpeabamapgecnidibdmjoepaiehokgda
• SHA256 hash: 0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5

RATs generally require victims to download and execute suspicious files, actions that security software typically detects as clear indicators of compromise. This GenAI-era adaptation disguises the RAT as an “AI browser automation tool” using the MCP framework, as shown in its Chrome Web Store listing in Figure 2. The listing deceptively states, “100% local processing - your data never leaves your browser” and “No external servers required for core functionality.”

Attackers lead victims to believe that extrem

📌 来源: Imperva Blog | 📅 2026-04-30