TL;DR: Sixteen Chrome extensions marketed as ChatGPT productivity tools intercepted session authentication tokens and sent them to a third-party backend, enabling account-level access to chats, metadata, and connected data sources, according to LayerX Security. The case shows that browser extensions can bypass traditional app security boundaries and turn everyday productivity tooling into identity compromise.
NHIMG editorial — based on content published by LayerX Security: How We Discovered a Campaign of 16 Malicious Extensions Built to Steal ChatGPT Accounts
By the numbers:
- The campaign consists of at least 16 distinct extensions developed by the same threat actor.
- Currently, approximately 900 downloads are associated with this campaign.
- Of the 16 identified extensions in this campaign, 15 were distributed through the Chrome Web Store, while one extension was published via the Microsoft Edge Add-ons marketplace.
Questions worth separating out
Q: How should security teams handle browser extensions that access authenticated AI services?
A: Security teams should treat browser extensions that can read authenticated AI sessions as privileged software.
Q: Why do browser-based AI extensions create identity risk for enterprise users?
A: They create identity risk because they can sit inside the authenticated session and see the same bearer tokens the user relies on.
Q: What breaks when session tokens are exposed through browser extensions?
A: When session tokens are exposed, account possession becomes enough for impersonation.
Practitioner guidance
- Classify AI-integrated extensions as privileged software Put any extension that interacts with authenticated AI services into a high-risk software category and require explicit approval before installation on managed endpoints.
- Correlate browser telemetry with identity events Link extension activity to SaaS authentication logs, token issuance events, and unusual session reuse so token theft can be spotted as identity abuse rather than just suspicious network traffic.
- Block deceptive extension patterns at the browser layer Create detection for branding reuse, synchronized update behaviour, shared backend domains, and near-identical extension code across multiple listings.
What's in the full article
LayerX Security's full research covers the operational detail this post intentionally leaves for the source:
- Per-extension indicators of compromise, including 16 extension IDs and names for hunting across managed environments.
- Code-level evidence showing how the extensions hook fetch and extract session tokens from the page runtime.
- Campaign infrastructure details, including shared backend domains, upload timing, and reused code patterns.
- Detection guidance for browser extension intelligence and similarity analysis across marketplaces.
👉 Read LayerX Security's analysis of the ChatGPT extension token theft campaign →
ChatGPT extensions and token theft: what IAM teams should watch?
Explore further
Browser extensions have become identity intermediaries, not just productivity tools. When an extension can read authenticated traffic inside the page runtime, it can capture the same session artefacts a user session depends on for trust. That collapses the distinction between interface tooling and credential-bearing software. Practitioners should treat AI-integrated extensions as privileged access paths, not optional browser decoration.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- That same study found only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why browser-extension identity risk often hides in plain sight.
A question worth separating out:
Q: How can organisations reduce the risk from malicious AI browser extensions?
A: Organisations should combine extension allowlisting, browser telemetry, and SaaS session monitoring so risky add-ons are detected before they become routine access paths. They should also remove extensions that require deep access to authenticated pages unless the business need is explicit and the runtime behaviour is verified.
👉 Read our full editorial: ChatGPT token theft via browser extensions expands identity risk