“We found 18 AI browser extensions marketed as productivity tools that are not as they seem.” That concise finding, published by Palo Alto Networks Unit 42, is the backbone of a broader alert: extensions posing as generative-AI helpers have been used to deliver remote access Trojans (RATs), infostealers, meddler‑in‑the‑middle tools and spyware that directly target prompts, sessions and credentials.
Scope and recurring techniques observed
Unit 42 reported 18 high‑risk Chrome extensions to Google; Google either removed the extensions or warned their owners to remediate policy violations. The researchers cataloged a repeatable playbook: API interception, passive Document Object Model (DOM) observation, traffic proxying and HTTPS response decryption. Multiple samples contained AI‑generated code fingerprints, indicating threat actors used large language models to accelerate malware production. Unit 42 placed detections into six malware categories derived from manual code and network analysis.
Two stark examples: a RAT disguised as “AI browser automation” and an email exfiltrator
One case study, Chrome MCP Server - AI Browser Control (Extension ID: fpeabamapgecnidibdmjoepaiehokgda; SHA256: 0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5), behaves as a RAT. The extension’s store listing claims “100% local processing - your data never leaves your browser” and “No external servers required for core functionality.” In reality, the code hardcodes a WebSocket to wss[:]//mcp-browser.qubecare[.]ai/chrome and accepts more than 30 remote commands, including executing arbitrary JavaScript via new Function(), attaching the Chrome Debugger Protocol to intercept HTTPS traffic, capturing screenshots and filling forms. When a user clicks Connect, the extension establishes a persistent C2 channel that reestablishes across browser restarts.
Supersonic AI (Extension ID: eebihieclccoidddmjcencomodomdoei; SHA256: ac0a312398b3bf6b3d7c5169687ca72f361838bc5a90f2c0dbce2dc8e2094a02) markets itself as an AI email assistant for Gmail and Outlook. Instead of limiting access to local processing, a content script collects comprehensive email data and transmits it to an external server in plaintext. Unit 42’s sandbox captured a one‑time password (OTP) being exfiltrated as part of the extension’s behavior.
Infostealers, search hijackers and spyware — targeting API keys, search history and all traffic
Other detailed cases illustrate different objectives. Reverse Recruiting - AI Job Application Assistant (Extension ID: iefpkdilnfhogjbkhgnliaomoldgkdlj; SHA256: 604c7aef72892b56ac23ad54744376574239c8f0651e95dd5b6cf540eb70f7c3) reads OpenAI, Gemini and Claude API keys from chrome.storage.sync and forwards them to the developer backend via custom HTTP headers; it also transmits profile data to api.reverserecruiting[.]io/v1/profile/sync.
Chat AI for Chrome (Extension ID: jhhjbaicgmecddbaobeobkikgmfffaeg; SHA256: dfe307d957724ebe32331f92d53e366b7fa85968a9564c2285c5a0142ac9e1bb) operates as a persistent search hijacker: it generates a unique identifier on installation, stores it in chrome.cookies, window.localStorage and chrome.storage.sync, and recreates tracking cookies when deleted. The extension silently replaces the default search engine so searches are routed through chatgptforchrome[.]com and correlated with the persistent ID, producing a cross‑device history that survives cookie clearing.
A Chinese‑language extension from Huiyi (Extension ID: dgeiaiglmhdhajbpfbmajaajdlfdinpi; SHA256: c9754454efede2dec2fcb856faa40424b8df378706b664a5ae4847fcd0336b53) that provides translation also requests excessive permissions: it registers chrome.webRequest.onCompleted listeners across all sites and downloads a proxy auto‑configuration (PAC) script from hxxps[:]//yiban[.]io/extension/proxy.pac?t=huiyi, applying it via chrome.proxy.settings.set(). Because PAC scripts selectively route traffic through proxies, the publisher can direct subsets of user traffic through attacker infrastructure without updating the extension.
How attackers convert permissions into persistent access
Unit 42 details how browser extension privileges make these attacks possible. Extensions granted broad scopes can read and modify web content, intercept network requests, access cookies and communicate with external servers — the same capabilities used by legitimate tools. Deceptive extensions exploit these privileges to override network APIs, monitor DOM changes in targets like Gmail or Notion, configure browser proxy settings and attach the Chrome Debugger Protocol to read decrypted HTTPS responses. Because chrome.storage.sync can replicate identifiers across devices signed into the same account, some persistence and cross‑device tracking survives local remediation steps.
What this means for Palo Alto Networks customers, organizations, and individual users
- Palo Alto Networks customers: Unit 42 says protections are available through Advanced URL Filtering and Advanced DNS Security, Prisma Browser (extension monitoring and control), Prisma AIRS (real‑time AI protections), and updated Advanced WildFire models. Customers with urgent incidents are directed to contact Unit 42 Incident Response.
- Organizations and procurement leaders: Unit 42 recommends treating browser extensions as third‑party software — vetting them with the same rigor as other apps, enforcing least privilege and scrutinizing requested permissions to avoid authorizing interception of credentials and session data.
- Individual users: Unit 42 advises sourcing extensions only from trusted providers and scrutinizing permissions. For persistent tracking or hijacking, the report notes that full uninstallation — not merely cookie clearing — is required to remove some threats.
Unit 42’s report documents a strategic shift: adversaries are packaging traditional browser‑attack techniques inside GenAI productivity lures and using LLMs to scale development. The specific examples — hardcoded C2 WebSockets, plaintext email exfiltration, API key theft and PAC‑driven proxying — show how extensions can convert convenience into a high‑value espionage channel. Read the full Unit 42 analysis here: https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/




