Malicious Chrome Extensions Impersonating VPNs and AI Tools Steal User Data

A recent campaign involving over 100 malicious Google Chrome extensions has been discovered impersonating legitimate tools such as VPNs, AI assistants, and cryptocurrency utilities. These extensions, which have affected more than 2.6 million users, are designed to steal sensitive data, including browser cookies and session tokens, while executing remote scripts in the background¹. The campaign highlights ongoing risks associated with browser extensions, particularly those masquerading as trusted applications.

Overview of the Threat

The malicious extensions mimic well-known services, including Fortinet, YouTube, ChatGPT for Google Meet, and VPNCity. Once installed, they inject scripts such as worker.js and content.js to exfiltrate sensitive user data¹. The stolen information can be used for session hijacking, credential theft, and further exploitation. This campaign follows a broader trend of attackers abusing browser extensions to bypass traditional security measures.

Security researchers have linked these extensions to phishing tactics where developers are targeted via fake “policy violation” emails, leading to OAuth token theft⁵. The attackers then push malicious updates to previously legitimate extensions, making detection more difficult for end users and security teams.

Technical Analysis

The extensions operate by leveraging Chrome’s permission system to access browsing data, cookies, and even execute arbitrary scripts. Some of the identified extensions include:

Bard AI Chat – Masquerades as an AI assistant while stealing session tokens.
VPNCity – Claims to provide VPN services but logs and exfiltrates browsing activity.
ChatGPT for Google Meet – A fake AI tool that injects malicious scripts.

According to a Georgia Tech study, over 3,000 browser extensions auto-collect user data without disclosure, with 200+ confirmed to exfiltrate data to third-party servers³. The study used the Arcanum framework to analyze 100,000 extensions, revealing widespread privacy violations.

Mitigation and Best Practices

To mitigate risks from malicious extensions, users and administrators should take the following steps:

Audit Installed Extensions: Navigate to chrome://extensions and remove any unnecessary or suspicious add-ons.
Change Compromised Credentials: If an extension is suspected of stealing cookies, reset passwords and enable multi-factor authentication (MFA).
Use Open-Source Browsers: Alternatives like Brave or LibreWolf may reduce exposure to malicious extensions.
Monitor Extension Permissions: Avoid extensions requesting excessive permissions such as “Read and change all your data on websites.”

While VPNs with no-logs policies (e.g., hide.me) can enhance privacy, they cannot block extension-level malware⁴. Organizations should enforce strict extension policies and conduct regular audits.

Relevance to Security Professionals

For security teams, this campaign underscores the need for:

Endpoint Monitoring: Detecting unusual browser activity, such as unexpected cookie access.
User Awareness Training: Educating employees on the risks of third-party extensions.
Threat Hunting: Proactively searching for indicators of compromise (IOCs) related to known malicious extensions.

Additionally, incident responders should review browser logs for signs of data exfiltration, particularly from extensions with high permissions.

Conclusion

The discovery of these malicious Chrome extensions highlights the persistent threat posed by seemingly legitimate browser add-ons. Attackers continue to exploit trust in popular tools, making it essential for users and organizations to remain vigilant. Regular audits, strict permission controls, and user education are critical in mitigating these risks.

For a full list of affected extensions, refer to the detailed report on Ars Technica⁵.