{"id":212956,"date":"2026-02-12T17:59:00","date_gmt":"2026-02-12T22:59:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/12\/30-chrome-extensions-disguised-as-ai-chatbots-steal-secrets-the-register\/"},"modified":"2026-02-13T05:05:09","modified_gmt":"2026-02-13T10:05:09","slug":"30-chrome-extensions-disguised-as-ai-chatbots-steal-secrets-the-register","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/12\/30-chrome-extensions-disguised-as-ai-chatbots-steal-secrets-the-register\/","title":{"rendered":"30+ Chrome extensions disguised as AI chatbots steal secrets \u2022 The Register"},"content":{"rendered":"<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/12\/30_chrome_extensions_ai\/\">30+ Chrome extensions disguised as AI chatbots steal secrets \u2022 The Register<\/a><\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/12\/30_chrome_extensions_ai\/\">https:\/\/www.theregister.com\/2026\/02\/12\/30_chrome_extensions_ai\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-12 17:59:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.theregister.com\">www.theregister.com<\/a><\/p>\n<p>More than 30 malicious Chrome extensions installed by at least 260,000 users purport to be helpful AI assistants, but they steal users&#8217; API keys, email messages, and other personal data. Even worse: many of these are still available on the Chrome Web Store as of this writing.<\/p>\n<p>Some of these extensions impersonate specific chatbots such as Claude, ChatGPT, Gemini, and Grok, while others claim to be more generic AI assistant tools to help users summarize documents, write messages, and provide Gmail assistance.<\/p>\n<p>Despite different names and extension IDs, they all use the same underlying codebase and permissions, and all 32 extensions communicate with infrastructure under the tapnetic[.]pro domain, according to LayerX Security, which uncovered the campaign and named it AiFrame.<\/p>\n<p>Some of them were published under new IDs after earlier versions were removed. For example, AI Sidebar (gghdfkafnhfpaooiolhncejnlgglhkhe), which had 50,000 users at the time of LayerX Security\u2019s report, appeared after the earlier Gemini AI Sidebar (fppbiomdkfbhgjjdmojlogeceejinadg), which had 80,000 users, was removed from the Chrome Web Store. The Register found that the re-uploaded extension (gghdfkafnhfpaooiolhncejnlgglhkhe) is now listed with 70,000 users as of publication.<\/p>\n<p>Google did not immediately respond to The Register&#8217;s inquiries about the malicious extensions.<\/p>\n<p>All 32 extension IDs are listed in LayerX&#8217;s report, so be sure to check it out before adding any AI assistant extension to your browser.<\/p>\n<p>Another extension that is still available at the time of this writing is called\u00a0AI Assistant (nlhpidbjmmffhoogcennoiopekbiglbp) and has 60,000 users. This one, which garnered the &#8220;Featured&#8221; badge on the Chrome Web Store, points users to a remote domain (claude.tapnetic.pro).<\/p>\n<p>It has an iframe overlay that visually appears as the extension&#8217;s&#8230;<\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/12\/30_chrome_extensions_ai\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>30+ Chrome extensions disguised as AI chatbots steal secrets \u2022 The Register https:\/\/www.theregister.com\/2026\/02\/12\/30_chrome_extensions_ai\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":212957,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/regmedia.co.uk\/2021\/01\/19\/shutterstock_chrome_iphone.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26],"class_list":["post-212956","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212956"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=212956"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212956\/revisions"}],"predecessor-version":[{"id":212958,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212956\/revisions\/212958"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/212957"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=212956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=212956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=212956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}