TL;DR: Browser-based prompt injection can turn a single malicious or hijacked extension into a covert data theft path for ChatGPT, Google Gemini, and other LLM-connected tools, according to Swarmnetics. The practical problem is not the model alone but the browser permissions and connected data sources that let attackers read, log, and erase sensitive content without obvious detection.
At a glance
What this is: This article explains how browser prompt injection can abuse extension and DOM permissions to silently control LLM sessions and exfiltrate data.
Why it matters: It matters because identity, access, and browser governance now intersect at the point where LLM-connected tools inherit permissions that can expose sensitive enterprise data.
👉 Read Swarmnetics's analysis of browser prompt injection attacks on LLMs
Context
Browser prompt injection is a misuse of legitimate browser scripting and extension access that turns an approved interaction path into a covert control path for an LLM. The security gap is that existing browser trust models assume extensions behave as intended, while LLM-connected workflows can inherit that trust and act on it at scale.
For IAM and NHI teams, this is not just an application-layer concern. When an LLM is connected to workspace data or internal systems, the browser extension becomes part of the effective access chain, which means identity governance, permission review, and session monitoring all need to account for delegated machine actions as well as human ones.
Key questions
Q: How should security teams control browser prompt injection risk in LLM tools?
A: Start by treating browser extensions, connector permissions, and session telemetry as a single control surface. Approve only necessary extensions, limit which data sources the LLM can reach, and monitor interactions that look like legitimate DOM activity but produce unusual data exposure. The key is to reduce both trust and blast radius at the browser layer.
Q: Why do cryptographic changes matter to IAM and NHI programmes?
A: IAM and NHI programmes rely on certificates, signing keys, and token trust to establish who or what is authenticated. If those cryptographic controls cannot change cleanly, trust flows become brittle, incident recovery slows, and the organisation loses the ability to respond to new standards or vulnerabilities without disruption.
Q: What breaks when extensions can issue hidden prompts to LLMs?
A: Auditability breaks first, because background interactions can erase the user-visible trail by deleting chats or hiding activity in tabs. Then data governance breaks, because the model may retrieve content from connected services that the user never intended to expose. Security teams need visibility into both extension behaviour and LLM outputs.
Q: Who is accountable when a browser extension exposes LLM-connected data?
A: Accountability usually spans endpoint security, IAM, and the team operating the GenAI tool. Endpoint owners govern the extension, identity teams govern the connector and access scope, and platform owners govern logging and detection. Frameworks like the NIST Cybersecurity Framework and NIST AI RMF both point to shared ownership rather than a single control team.
Technical breakdown
How browser extensions turn into a prompt injection path
A browser extension with scripting access can place instructions into an LLM session through the page DOM, which is the browser structure used to read and modify content. Because the action looks like normal browser interaction, the model and the browser both treat it as permitted activity. The attacker does not need a new exploit in the LLM itself if they can piggyback on extension privileges already present in the user environment. That is why the attack can work against multiple models and across different browsers when the extension model is permissive.
Practical implication: review extension permissions as part of access governance, not only as endpoint hygiene.
Why connected data sources increase the blast radius
The risk grows sharply when an LLM can reach email, documents, messages, or contact data. In that case, prompt injection is no longer only about manipulating model output. It becomes a delegated access problem in which the attacker uses the LLM as an intermediary to query and assemble information from connected services. The browser extension does not need full direct access to every system if the LLM already holds that bridge to data sources and can be induced to retrieve or expose content on demand.
Practical implication: constrain which data sources an LLM can reach and treat every connector as an additional access path.
Why these attacks evade normal detection
These attacks are hard to spot because the malicious activity can resemble legitimate DOM interactions and routine automation. Security tools often look for obviously unauthorized behaviour, but here the extension is operating within granted browser permissions. If the extension deletes the chat history or works through background tabs, investigators may lose the user-visible evidence trail. Detection therefore depends on telemetry that can observe browser-to-LLM interactions, extension behaviour, and unusual content extraction patterns rather than only classic malware indicators.
Practical implication: add browser and LLM interaction logging to detection workflows where sensitive data is exposed through GenAI tools.
Threat narrative
Attacker objective: The attacker wants to use the browser as a trusted conduit for stealthy LLM-driven data exfiltration while avoiding obvious user or security-tool detection.
- Entry occurs when an attacker installs a malicious browser extension or hijacks an existing trusted extension with scripting access.
- Escalation happens when the extension uses normal DOM permissions to inject prompts into the LLM and read the responses without prompting the user.
- Impact follows when the LLM is steered to expose chat content or connected workspace data, allowing covert theft and cleanup of evidence.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Browser prompt injection is now an identity and access problem, not just an LLM safety problem. The attack path depends on existing browser permissions, extension trust, and the LLM’s delegated access to connected services. That places it squarely in the governance space that IAM and PAM teams already manage, even though the abuse surface looks like application behaviour. Practitioners should treat browser-mediated LLM access as part of the access control plane.
Extension trust gap: The article exposes a simple but often ignored failure mode, which is that organisations tend to trust extensions once they are installed. That assumption breaks when a previously approved extension can be hijacked, repurposed, or silently altered to issue LLM instructions. The control gap is lifecycle oversight for browser add-ons, including approval, review, and removal. Practitioners should inventory extensions with the same discipline they apply to privileged access.
LLM connectors expand the effective blast radius of every browser session. When an LLM is connected to workspace data, the browser becomes an access broker to email, documents, messages, and contact stores. That means a prompt injection attack can translate a local browser weakness into a broader data governance incident. The implication for security leaders is that connector permissions, not just model prompts, need review through an identity and data governance lens.
Detection must move closer to the interaction boundary. Traditional controls will miss attacks that ride on permitted DOM activity and legitimate browser behaviour. The practical governance question is whether teams can observe what data the LLM touched, which extensions were involved, and whether background interactions align with intended use. Practitioners should prioritize telemetry and policy controls at the browser-to-LLM boundary, where trust is currently thinnest.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- As browser-based GenAI usage expands, pair agent visibility with 52 NHI Breaches Analysis to understand how delegated access failures become incident paths.
What this signals
Browser prompt injection widens the governance gap between approved access and intended access. The practical signal for security teams is that browser controls, LLM connectors, and identity governance now need to be assessed together, because the attacker path lives in the seams between those layers.
Delegated access drift: the boundary between what a user can do and what a connected LLM can do is becoming harder to see. That creates a new programme risk for teams that still track access only at login or only at the model layer. Security leaders should expect more demand for browser telemetry, connector inventories, and evidence of what data each LLM session touched.
For practitioners
- Inventory and approve browser extensions Maintain a living inventory of extensions allowed on endpoints that access GenAI tools, and remove anything that no longer has a clear business need. Treat extension approval as a control that affects data access paths, not just browser usability.
- Restrict LLM connector scope Limit which mail, document, messaging, and contact sources an LLM can reach, then review connector permissions as part of access recertification. The goal is to reduce the amount of sensitive data a prompt injection can expose through a single session.
- Monitor DOM and extension behaviour Add telemetry for unusual DOM interaction patterns, background tab activity, and repeated prompt execution from the same extension. This gives defenders a chance to detect covert LLM interactions that would otherwise look legitimate.
- Require behavioral review for new installs Screen new extensions with behavioural risk assessment before deployment, and re-evaluate existing extensions after updates or ownership changes. That helps catch hidden permission shifts before they become an access problem.
- Map GenAI access into identity governance Document which users, devices, and extensions can influence enterprise LLM sessions, and tie that mapping to the same governance process used for privileged accounts and sensitive workspace access.
Key takeaways
- Browser prompt injection turns extension trust into an access-control issue that can expose LLM-connected data without obvious compromise.
- The biggest risk is not only model manipulation but the use of connected services, background tabs, and hidden browser activity to steal data covertly.
- Security teams should govern extensions, connector scope, and interaction telemetry as one control plane for GenAI access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Browser-mediated prompt injection maps to agentic app abuse and tool misuse. | |
| NIST AI RMF | GOVERN | Governance and accountability are central when browser extensions can steer LLM actions. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0010 , Exfiltration | The attack relies on accessing and stealing data through trusted browser interactions. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and permission review are directly relevant to extension and connector scope. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the clearest control family for limiting what browser-mediated LLM sessions can reach. |
Map browser prompt injection scenarios to credential access and exfiltration tactics in detection planning.
Key terms
- Prompt Injection (Agentic): An attack where malicious instructions are embedded in content that an AI agent reads — causing the agent to execute unintended actions using its own legitimate credentials. A primary vector for agent goal hijacking and identity abuse.
- Browser Extension Runtime Trust: The level of confidence an organisation places in a browser extension after it has been installed and is operating inside a user session. For security teams, this trust must be based on observed behaviour over time, not just marketplace approval or permissions at the point of install.
- LLM Connector: An LLM connector is the integration that lets a model reach external services such as email, documents, chat, or identity-linked data sources. Connectors expand utility, but they also expand the blast radius of prompt injection because the model can be induced to retrieve or expose information from connected systems.
What's in the full analysis
Swarmnetics's full article covers the operational detail this post intentionally leaves for the source:
- Proof-of-concept attack flow showing how a malicious extension injects commands into ChatGPT and Google Gemini sessions.
- Specific examples of how browser history and chat cleanup can hide the evidence trail after exfiltration.
- Discussion of DOM permission abuse and why existing browser trust models fail to flag the behaviour.
- Practical monitoring ideas for teams that need to validate browser-to-LLM interactions in their own environment.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and agentic AI identity. It helps practitioners connect identity controls to the broader access patterns that shape modern enterprise systems.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org