A new wave of AI-themed browser extensions claims to offer seamless “ChatGPT,” “Llama,” “Perplexity,” and “Claude” search experiences directly within Chrome’s omnibox.
In reality, these add-ons exploit the chrome_settings_overrides manifest key to replace the browser’s default search engine.
Any text input by the user is intercepted by obfuscated JavaScript routines that log search queries and personal data before forwarding the requests to attacker-controlled domains such as chatgptforchrome.com, dinershtein.com, and gen-ai-search.com.
Periodic remote script updates enable persistent hijacking even after manual resets of local storage or manifest settings, ensuring uninterrupted data exfiltration.
Researchers have identified eight primary malicious extensions through their unique IDs, claimed AI functionality, and associated redirect domains. The extension akfnjopjnnemejchppfpomhnejoiiini advertises a “Claude search” but reroutes queries to dinershtein.com.
The 2023 variant boofekcjiojcpcehaldjhjfhcienopme, which reached over 15,800 users, posed as “AI ChatGPT” and exploited chatgptforchrome.com to steal Facebook session tokens via deeply obfuscated scripts.
Current campaigns include bpeheoocinjpbchkmddjdaiafjkgdgoi (“ChatGPT for Chrome”), ecimcibolpbgimkehmclafnifblhmkkb (“Perplexity Search”), jhhjbaicgmecddbaobeobkikgmfffaeg (“Chat AI for Chrome”), jijilhfkldabicahgkmgjgladmggnkpb (“GenAISearch”), lnjebiohklcphainmilcdoakkbjlkdpn (“ChatGPT Search”), and pjcfmnfappcoomegbhlaahhddnhnapeb (“Meta Llama Search”).
Each extension leverages identical redirection techniques to capture omnibox input under the guise of AI tool functionality.
The initial “AI ChatGPT” extension campaign leveraged complex obfuscation to evade detection, facilitating credential theft and session hijacking.
Today’s resurgence builds on that infrastructure with enhanced social engineering strategies, including YouTube promotional videos enticing users to install “Chat AI for Chrome.”
As the ecosystem matures, analysts anticipate more sophisticated variants capable of injecting phishing overlays directly into popular websites or deploying secondary payloads such as browser-based cryptominers and ransomware.
Effective defense begins with a rigorous vetting of extension publishers and a thorough scrutiny of user reviews before installation.
Enterprise administrators should audit any changes to the chrome_settings_overrides field in extension manifests across managed devices to identify unauthorized search engine alterations.
Deploying endpoint detection and response solutions can identify anomalous redirection patterns in real-time, while browser isolation technologies prevent malicious scripts from accessing underlying system resources.
Regular review of installed extensions, coupled with prompt removal of unused or suspicious add-ons, further minimizes exposure to prompt-hijacking threats.
Remaining vigilant and fostering user awareness around AI extension security are essential to safeguarding both personal and organizational data.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Hackers Distribute Dangerous AI Tools Through Chrome Extensions appeared first on Cyber Security News.
Google is continuing to weave Gemini into the firmament of its most-used products. Today, it…
Perplexity wants to be more than just an answer engine. On Wednesday, it launched Personal…
JBL’s new wireless mics can improve your pitch. | Image: JBL Karaoke is more fun…
The Pan-European Game Information age-ratings body — better known as PEGI, the European equivalent of…
The hit manga Chainsaw Man from creator Tatsuki Fujimoto will soon end, according to VIZ…
The official announcement of Microsoft's "This Is An Xbox" marketing campaign is no longer accessible…
This website uses cookies.