The rush to integrate Generative AI into daily workflows has opened a dangerous new front in the cyber security war, one that's hiding in plain sight: the humble browser extension. New research from Palo Alto Networks security experts, Shresta Seetharam, Mohamed Nabeel, and William Melicher, reveals a disturbing trend of malicious GenAI-themed Chrome extensions being used for sophisticated data exfiltration and harmful redirection schemes.
The findings, presented at the Virus Bulletin Conference, detail how cybercriminals are exploiting the GenAI hype to push malicious add-ons, often impersonating legitimate services like DeepSeek AI or Perplexity Search, to bypass security measures and steal sensitive user data.
The Gold Rush Attracts Digital Thieves
The explosive growth of GenAI has seen an increasing demand for browser-based AI tools, with the "AI Browser Extensions/Add-ons" segment projected to be a major part of a global AI browser market set to hit $76.8 billion by 2034. This gold rush for productivity has created a massive new attack surface. The Palo Alto Networks team curated a dataset of 5,551 AI-themed extensions released in the Chrome Web Store between January and September 2025.
Using a multi-signal detection methodology that combines metadata analysis, source code scrutiny, and runtime network behavior monitoring, the researchers uncovered 154 previously undetected malicious extensions. Out of the final set of 341 known malicious extensions, 29 were GenAI-related, demonstrating that threat actors are actively leveraging this trend.
Adversary-in-the-Browser: The New Exfiltration Playbook
The core of the threat revolves around data exfiltration and malicious redirection, with attackers exploiting the extended permissions granted to browser extensions.
One of the most alarming techniques uncovered is the Adversary-in-the-Browser (AiTB), exemplified by a malicious extension named "Supersonic AI." This extension, which was listed on the Chrome Web Store as an AI-powered email assistant, was designed to steal sensitive information directly from a user’s Gmail or Outlook DOM (Document Object Model). The attack flow showed that simply using the extension's advertised "Generate reply" feature would trigger the content script to harvest the entire email thread's content, including sensitive data like M&A term sheets or PII, and exfiltrate it to an attacker-controlled endpoint.
More dangerously, the team also documented a passive data exfiltration flow, where the extension would steal sensitive data, such as a password reset PIN from a viewed email, in real-time without any direct user interaction with the extension’s features.
Evasive Tactics: Impersonation and Bait-and-Switch
Attackers are deploying layered evasion techniques to maximize their reach and persistence:
- Impersonation and Dual Functionality: The "DeepSeek AI | Free AI Assistant" extension was found to impersonate the legitimate AI service and maintain user trust by offering genuine functionality, forwarding user queries to the real DeepSeek backend. However, simultaneously, it was sending GET requests to a known malicious endpoint for Command-and-Control (C2) communication. This dual functionality makes the extension appear legitimate while performing covert malicious actions.
- Bait-and-Switch Updates: Analysis revealed that some malicious extensions, like the DeepSeek AI example, were initially published as benign (non-malicious) versions. A subsequent major update introduced malicious behavior and code re-obfuscation, an evasive technique that makes it harder for reviewers to detect the changes.
- Prompt Hijacking: Leveraging the chrome_settings_overrides API, extensions like "Perplexity Search" were found to hijack a user's queries—or more specifically, their detailed, conversational LLM prompts—intercepting this sensitive information before transparently redirecting the user to the legitimate AI service. This subtle redirection grants the attacker a continuous stream of the user’s conversational input without disrupting the workflow.
Monetization through Malicious Redirection
Beyond data theft, malicious extensions are being used for direct financial gain via malicious redirection. One case study, "Photoroom AI Photo Editor," abused the chrome.runtime.onInstalled event to immediately redirect a newly installed user to a deceptive error page. This page, which was an iframe loaded from an attacker domain, prompted the user to download "Opera GX" through an affiliate-tracking URL, monetizing the installation via an affiliate fraud (Paid Acquisition) scheme.
The Path to Secure GenAI Browsing
The research clearly shows that cybercriminals are adapting rapidly to the GenAI trend and the Chrome Manifest V3 security changes, finding new ways to exploit extension capabilities for data exfiltration and monetization. The researchers stress that a comprehensive defense requires a combination of manifest analysis, static code review, and dynamic, runtime behavioral monitoring to effectively counter these rapidly evolving, insidious threats.
