That AI Extension Helping You Write Emails? It’s Reading Them First

2026-04-30 · Source: Unit 42 · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Software Development & Engineering · Depth: Advanced, extended

Summary

Palo Alto Networks identified 18 deceptive AI browser extensions masquerading as productivity tools, which instead function as Remote Access Trojans (RATs), meddler-in-the-middle (MitM) attackers, or infostealers. These extensions surveil emails, intercept ChatGPT prompts, and exfiltrate passwords, targeting sensitive user data and browser sessions. Attackers employ techniques like API interception, DOM observation, traffic proxying, and HTTPS response decryption, with some malware even featuring AI-generated code to accelerate production. Google removed or issued warnings for the reported high-risk extensions. The research highlights a deliberate shift in browser-based attacks, exploiting user trust in GenAI tools to gain access to valuable proprietary code, communications, and credentials.

Key takeaway

For IT Professionals managing enterprise security, you must recognize browser extensions as a critical attack surface, especially with the rise of GenAI. Scrutinize all extension permissions, as broad access can enable interception of sensitive AI prompts, credentials, and proprietary session data. Implement policies to vet extensions as rigorously as any third-party software, focusing on behavioral analysis of runtime activity and cross-file information flows to prevent data exfiltration and remote control.

Key insights

Malicious AI browser extensions exploit user trust to exfiltrate sensitive data and gain remote control, often utilizing AI-generated code.

Principles

• Browser extensions operate within the browser's trusted process with user-granted permissions.
• GenAI amplifies data exfiltration risk due to sensitive prompt content.
• Threat actors use LLMs to accelerate malware production.

Method

Attackers blend API interception, DOM observation, traffic proxying, and HTTPS response decryption with AI productivity lures, using techniques like WebSocket C2 and cross-storage persistence.

In practice

• Scrutinize extension permissions for broad browser data access.
• Source extensions exclusively from trusted providers.
• Treat browser extensions as vetted third-party software.

Topics

• AI Browser Extensions
• Malware
• Generative AI Security
• Data Exfiltration
• Remote Access Trojans
• Browser Security

Code references

• PaloAltoNetworks/Unit42-timely-threat-intel

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Security Engineer, IT Professional

Related on AIssential

• Rank 1 LLM Attack: Now Uses Your AI Email Assistant (My Story) — AI email assistants can be exploited via hidden content to summarize malicious text, inverting trust.
• Article: Stateful Continuation for AI Agents: Why Transport Layers Now Matter — Security checks often require specific browser configurations and human interaction to prevent bot access.
• OpenAI limits access to new cybersecurity AI model - Latest news from Azerbaijan — Leading AI firms are limiting access to powerful cybersecurity models due to dual-use concerns.
• Partnering with Mozilla to improve Firefox’s security — AI models like Claude Opus 4.6 can autonomously find and help fix high-severity software vulnerabilities at accelerated speeds.
• State of AI Cybersecurity 2026: 92% of Security Professionals Concerned About the Impact of AI Agents — Rapid AI adoption expands enterprise attack surfaces, demanding new security paradigms for agents and prompt interactions.
• Are your AI Chrome extensions spying on you? What to watch for — Many AI-powered browser extensions collect significant user data, including PII, posing substantial privacy risks.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Unit 42.