Chrome AI assistant extensions: are your browser controls keeping up?

TL;DR: 30 Chrome extensions masquerading as AI assistants affected more than 260,000 users, used remote iframes and shared backend infrastructure, and could extract page content and Gmail data outside the browser security boundary, according to LayerX Security. The core issue is not the branding, but the runtime trust model that lets mutable remote code change extension behaviour after install.

NHIMG editorial — based on content published by LayerX Security: AiFrame fake AI assistant extensions targeting Chrome users via injected iframes

By the numbers:

• Across 30 different Chrome extensions, published under different names and extension IDs, the same underlying codebase, permissions, and backend infrastructure were observed.

Questions worth separating out

Q: How should security teams govern Chrome extensions that can read sensitive web content?

A: Security teams should treat extensions as privileged software components, not convenience add-ons.

Q: Why do remote-controlled browser extensions create a bigger risk than local-only tools?

A: Remote-controlled extensions expand risk because the operator can change the interface and logic after installation without a new store review.

Q: What do teams get wrong about AI-branded browser extensions?

A: Teams often assume an AI-branded extension is a productivity feature rather than a data-access mechanism.

Practitioner guidance

• Audit browser extensions against managed policy, not user preference. Inventory all installed extensions in managed environments, identify those installed outside approved policy, and remove any extension that can read page content on mail, collaboration, or internal application domains.
• Block remote iframe-backed extension UIs on sensitive workflows. Flag or deny extensions that render a server-controlled iframe as the primary interface, especially when the iframe can change behavior without a new store release or code review.
• Correlate extension lineage across IDs and domains. Treat shared JavaScript logic, shared permissions, and shared backend domains as one risk object, even when the extensions carry different names or appear to be separate products.

What's in the full article

LayerX Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Full extension ID list with install counts for the identified campaign cluster
• IOC set for tapnetic.pro and the related extension package names
• Technical walkthrough of the remote iframe architecture and Gmail-specific content script flow
• Evidence on re-upload behaviour after Chrome Web Store removal

👉 Read LayerX Security's analysis of fake AI assistant extensions and Chrome data exposure →

Chrome AI assistant extensions: are your browser controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →