Chrome Extensions
-
108 malicious Chrome extensions linked to shared server, data theft
Researchers found 108 malicious Chrome extensions tied to one backend server, with the add-ons used to steal account data, exfiltrate Telegram sessions and inject ads or scripts into visited pages.
-
Researchers find flaw that could let websites inject prompts into Anthropic’s Claude Chrome extension
Researchers disclosed a flaw called ShadowPrompt in Anthropic’s Claude Chrome extension that combined an overly permissive origin allowlist and a DOM-based XSS in an Arkose Labs CAPTCHA, allowing websites to inject prompts; Anthropic and Arkose issued fixes in December 2025 and February 2026.
-
Two Chrome extensions weaponized after ownership transfers, affecting about 7,800 users
Two Chrome extensions were weaponized after ownership transfers, allowing remote JavaScript to bypass protections and harvest credentials. QuickLens affected about 7,000 users and ShotBird about 800 users. Users should remove unknown extensions and audit browsers.
-
30 fake AI Chrome extensions with 300,000 installs steal credentials and email content
Thirty malicious Chrome extensions with more than 300,000 installs posed as AI assistants to steal credentials, Gmail content, and voice transcripts according to a technical analysis by LayerX. Users should remove suspicious extensions and reset passwords if compromised.
-
Researchers find Chrome extensions that hijack affiliate links and scrape data
Security researchers uncovered Chrome extensions that rewrite affiliate links and scrape product data. A Socket technical analysis links the behavior to a cluster of 29 add ons that target major e commerce sites and exfiltrate information.
-
New MaaS Stanley promises phishing extensions on Chrome Web Store
A technical analysis found the Stanley MaaS offers Chrome extensions that overlay phishing iframes and promises to pass Chrome Web Store review. The service includes auto-install, persistent C2 polling, geotargeting, and a paid Luxe plan.
-
Two Chrome extensions exfiltrated ChatGPT and DeepSeek conversations from 900,000 users
A technical analysis by OX Security found two malicious Chrome extensions that collected ChatGPT and DeepSeek conversations and tab URLs from about 900,000 users and sent the data to external servers on a regular schedule.
-
Two Chrome extensions intercepted traffic and exfiltrated credentials, researchers say
Researchers reported two Chrome extensions named Phantom Shuttle that posed as VPN/speed-test tools but injected hard-coded proxy credentials, routed traffic through attacker-controlled proxies and exfiltrated user credentials and other sensitive data to a command-and-control server.
-
Researchers: Popular Chrome VPN extension collected AI chatbot prompts and responses
Security researchers reported that the Chrome extension Urban VPN Proxy was observed collecting prompts and responses from multiple AI chatbots, sending captured conversation data to external servers; researchers linked the behavior to a July 9, 2025 update and raised concerns about downstream sharing with affiliated data firms.
-
Researchers find 131 Chrome extensions cloned to automate WhatsApp spam in Brazil
Researchers say 131 rebranded Chrome extensions, sharing a common codebase, were used to automate bulk WhatsApp Web messaging aimed at Brazilian users, a campaign that appears designed to evade platform anti-spam controls and contravene Chrome Web Store rules.
