AI-Powered Threats: The Rise of Malicious Chrome Extensions

Author: Denis Avetisyan

Attackers are increasingly leveraging the hype around generative AI to disguise harmful browser extensions as legitimate tools.

A security analysis reveals how these extensions enable data exfiltration, ad fraud, and the delivery of unwanted programs, highlighting vulnerabilities in the Manifest V3 ecosystem.

While the proliferation of generative AI promises innovation, it simultaneously presents a rapidly expanding attack surface for cybercriminals. Our work, ‘Malicious GenAI Chrome Extensions: Unpacking Data Exfiltration and Malicious Behaviours’, details a large-scale analysis revealing how attackers are disguising malicious browser extensions as legitimate AI tools to facilitate data exfiltration, affiliate fraud, and unwanted program delivery. We identified 341 malicious extensions, including 29 specifically leveraging GenAI themes, demonstrating a direct evolution of browser extension threats alongside generative AI adoption. As these tactics mature, how can users and security platforms effectively distinguish between helpful AI assistants and deceptive, data-stealing extensions?

Unveiling the Attack Surface: Browser Extensions as Vectors

Browser extensions, designed to augment web browsing with added features, inherently introduce significant security vulnerabilities. These small programs routinely request extensive permissions – access to browsing history, stored cookies, and even the ability to read and modify data on any webpage – which, while necessary for functionality, creates a substantial attack surface. Malicious actors can exploit these permissions to steal sensitive information like login credentials and financial data, redirect users to phishing sites, or inject malicious code into visited webpages. The very power that makes extensions useful also positions them as a prime target for cybercriminals, demanding increased vigilance from both users and the platforms responsible for distributing these applications. This broad access, coupled with the increasing complexity of modern web applications, makes extensions a particularly attractive vector for sophisticated attacks.

The rapid increase in AI-powered browser extensions, particularly those utilizing Generative AI (GenAI) models, is significantly expanding the potential attack surface for malicious actors. These extensions, while offering innovative functionality, frequently request broad permissions to access user data and browser activity, creating opportunities for abuse. Recent research identified 29 distinct malicious extensions masquerading as legitimate AI tools, demonstrating a clear trend of attackers exploiting the popularity of this technology. These malicious extensions employed tactics ranging from data theft and redirecting traffic to injecting malicious advertisements and even complete account takeover, highlighting the sophistication and variety of threats emerging within the AI extension ecosystem. The accessibility of GenAI models and the relative ease with which extensions can be developed and deployed contribute to this growing risk, demanding increased vigilance from both users and the platforms responsible for distribution.

The Chrome Web Store, while serving as the dominant platform for browser extension distribution, struggles to consistently identify and prevent the publication of malicious software. A recent analysis of 5,551 extensions themed around Artificial Intelligence, conducted over a nine-month period, revealed significant vulnerabilities in the vetting process. This research demonstrates that a substantial number of potentially harmful extensions can bypass initial security checks, posing a risk to user data and system integrity. The sheer volume of submissions, combined with the increasing sophistication of malicious code designed to mimic legitimate functionality, creates a challenging environment for effective oversight. This highlights the need for more robust and adaptive security measures within the CWS to safeguard users against the evolving threat landscape presented by browser extensions.

Dissecting the Tactics: From Data Theft to Fraudulent Redirection

Adversary-in-the-Browser (AiTB) attacks leverage malicious browser extensions, specifically employing Content Scripts, to compromise user data within a current browser session. Content Scripts are code segments that run in the context of webpages viewed by the user, granting attackers direct access to the Document Object Model (DOM) and the ability to read, modify, or exfiltrate sensitive information such as login credentials, financial details, and personally identifiable information (PII). Unlike traditional malware, AiTB attacks operate within the legitimate browser environment, making detection more challenging as the malicious activity appears to originate from the user’s trusted web browsing experience. This direct access bypasses many standard security measures designed to protect data in transit or at rest, enabling real-time data theft and manipulation before it is even transmitted.

Adversary-in-the-Browser (AiTB) attacks, as demonstrated by extensions such as Supersonic AI, function by injecting malicious code – specifically, Content Scripts – into a user’s web browser. These scripts operate within the trusted context of the browser, allowing them to intercept and extract sensitive data directly from web pages before it is transmitted, or to modify page content. This capability enables the theft of credentials, personal information, and financial data. The prevalence of AiTB tactics, indicated by the identification of 341 malicious Chrome extensions utilizing these methods, suggests a significant risk of widespread data breaches affecting a large user base, as attackers can leverage legitimate browser functionality to compromise user security.

Affiliate fraud operates by redirecting user traffic to unwanted or malicious software, generating revenue for the attacker through deceptive advertising practices. This commonly involves injecting affiliate links into legitimate search results or website content, so that when a user clicks, they are directed to a site offering software bundled with potentially unwanted programs (PUPs) or outright malware. Attackers profit from each successful redirection via commission-based affiliate programs. DeepSeek AI is one example where this tactic was observed, demonstrating how seemingly legitimate entities can participate in revenue-generating fraud by intentionally redirecting users to harmful downloads or websites. This practice circumvents security measures and exploits user trust for financial gain.

Research indicates a significant prevalence of query hijacking within Chrome extensions, with a total of 341 malicious extensions identified as employing this technique. These extensions operate by intercepting user search queries, creating a potential pathway for data exfiltration or redirection to malicious websites. Notably, the study uncovered 154 previously unreported extensions utilizing query hijacking, indicating an ongoing and expanding threat landscape. This practice allows attackers to monitor search behavior and potentially compromise user privacy or financial security through targeted attacks or the distribution of malware.

Deconstructing the System: Manifests, Permissions, and the Quest for Control

The extension manifest file, typically named manifest.json, serves as a metadata descriptor defining the extension’s name, version, required permissions, and content security policies. While essential for proper functionality and security enforcement, vulnerabilities within the manifest’s parsing and handling can be exploited. Specifically, improper validation of manifest keys or values can lead to code injection or allow an extension to bypass security restrictions. Furthermore, inconsistencies between declared permissions and actual code behavior, if not rigorously audited, represent a significant attack vector. Manifest files are subject to the same security considerations as any other user-provided configuration file, necessitating careful input validation and sandboxing to mitigate potential risks.

The browser extension Permissions Model aims to limit the potential damage from malicious or compromised extensions by requiring them to declare the specific resources they need access to. However, this security mechanism is not foolproof. Extensions can request overly broad permissions – such as access to “all websites” – granting them unnecessary and potentially exploitable capabilities. Furthermore, implicit access vulnerabilities can occur when granting one permission inadvertently allows access to related resources or functionality not explicitly requested. This circumvention can happen due to the design of certain APIs or through unintended consequences of permission combinations, enabling an extension to perform actions beyond its declared scope.

Manifest V3 replaces the older, more flexible web request API with the Declarative Net Request API to improve extension security. This API operates by defining declarative rules that specify which network requests to block or modify, rather than using JavaScript code to inspect and alter requests in real-time. By shifting from code-based request interception to a rule-based system, Manifest V3 significantly reduces the attack surface exposed to malicious extensions, limiting the potential for arbitrary code execution and data breaches. The declarative approach also improves performance and reduces resource consumption by offloading request processing to the browser’s networking stack.

Service Workers, functioning as programmable network proxies, enable extensions to perform background tasks such as handling push notifications, synchronizing data, and intercepting network requests even when the associated browser window is closed. However, vulnerabilities in Service Worker code – including improper input validation, insecure data handling, or logic errors – can be exploited to execute malicious code in the context of the extension and, potentially, the user’s browser session. Common issues include cross-site scripting (XSS) vulnerabilities within Service Worker scripts, insecure storage of sensitive data within the Service Worker’s scope, and improper handling of intercepted network requests, leading to man-in-the-middle attacks or data exfiltration. Furthermore, a poorly implemented Service Worker can consume excessive resources, leading to denial-of-service conditions or impacting browser performance.

The Persistence of Threat: Data Storage and the Long Game

Browser extensions, while often providing valuable functionality, can exploit the Local Storage feature to maintain a persistent presence on a user’s system. Local Storage, designed for websites to store data locally within a browser, allows extensions to save information beyond a single session, effectively bypassing the typical limitations of cookies. This capability is frequently abused by malicious extensions to store tracking data, session tokens, or even executable code, enabling continued operation and data access even after the browser is closed and reopened. The persistence afforded by Local Storage allows these extensions to re-establish their malicious activity automatically, creating a significant and ongoing security risk for unsuspecting users and complicating efforts to fully remove the threat through standard browser clearing methods.

Investigations reveal that DeepSeek AI, a burgeoning artificial intelligence entity, strategically employs Local Storage within its browser extensions to retain potentially sensitive user data. This practice isn’t simply for convenience; it directly enables a sophisticated affiliate fraud scheme. By persisting tracking information locally, the extension can maintain user sessions and falsely attribute purchases to specific affiliate links even after a browser is closed and reopened. This circumvents typical fraud detection mechanisms, inflating affiliate revenue for DeepSeek AI while potentially misleading consumers and harming legitimate businesses. The persistent nature of the stored data, combined with the AI’s ability to subtly manipulate browsing behavior, creates a particularly challenging threat landscape for both users and security professionals.

The escalating sophistication of cyberattacks converges with the expanding frontier of AI-driven browser technologies to create a substantial and persistent security challenge for users. A projected compound annual growth rate of 32.8% positions the AI browser market at $76.8 billion by 2034, while search interest in ‘chrome extension ai’ has surged by 900% year-over-year. This rapid expansion, coupled with the use of persistent data storage mechanisms within malicious extensions, provides attackers with increased opportunities to maintain access and execute fraudulent activities. The resulting heightened attack surface demands proactive security measures to protect against evolving threats and safeguard user data in this dynamic digital landscape.

The proliferation of malicious browser extensions presents an escalating security challenge, demanding continuous vigilance and strengthened defenses. Recent analysis reveals a significant surge in the number of ‘AI-Summarizing’ Chrome extensions – increasing from 16 in 2023 to 41 in 2025 – highlighting a rapidly expanding attack surface. This growth, coupled with the increasing sophistication of extension-based threats that leverage persistent data storage, underscores the critical need for robust security protocols. Proactive monitoring of extension behavior, coupled with stringent permission controls and regular security audits, are essential to mitigate the impact of these evolving threats and protect users from data compromise and fraudulent activity.

The analysis detailed within reveals a concerning trend: malicious actors are actively probing the boundaries of trust within the browser ecosystem. This mirrors a fundamental principle of understanding any system – dissecting it to reveal its vulnerabilities. As David Hilbert stated, “We must be able to answer the question: what are the ultimate foundations of mathematics?” Similarly, this research seeks the ultimate foundations of security in the age of generative AI, uncovering how seemingly benign extensions can be exploited for data exfiltration and fraud. The article demonstrates that the ‘code’ of these extensions – much like reality itself – remains open for interpretation and, unfortunately, manipulation.

What Breaks Next?

The proliferation of malicious GenAI-powered browser extensions isn’t simply a technical problem; it’s a predictable consequence of applying a superficially intelligent layer to a fundamentally untrustworthy ecosystem. The current analysis highlights data exfiltration and ad fraud, but those are merely the visible fractures. One wonders what happens when these extensions begin leveraging generative capabilities for more sophisticated social engineering – crafting personalized phishing attacks delivered directly within the browser, or subtly altering displayed information to manipulate user behavior. The limitations of Manifest V3, intended to enhance security, are exposed not as failures of the system itself, but as constraints that attackers will inevitably learn to circumvent.

Future work shouldn’t focus solely on detection-that’s a perpetual arms race. Instead, the field should interrogate the underlying assumptions of browser extension architecture. What if extensions weren’t granted such broad permissions in the first place? What if the browser itself actively challenged an extension’s claims of functionality, subjecting generative outputs to scrutiny before presenting them to the user? These questions demand a shift from reactive security to proactive skepticism.

Ultimately, this research demonstrates a principle: intelligence, whether artificial or human, is merely a tool. It amplifies existing capabilities, for good or ill. The real challenge lies not in controlling the tool, but in understanding the motivations of those wielding it, and anticipating the inevitable attempts to break the rules.

Original article: https://arxiv.org/pdf/2512.10029.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

Unveiling the Attack Surface: Browser Extensions as Vectors

Dissecting the Tactics: From Data Theft to Fraudulent Redirection

Deconstructing the System: Manifests, Permissions, and the Quest for Control

The Persistence of Threat: Data Storage and the Long Game

What Breaks Next?

See also: