Researchers at LayerX discovered AiFrame, a campaign of 30 malicious Chrome extensions installed by over 300,000 users that impersonate AI assistants to steal credentials, email content, and browsing data. Many extensions load remote iframes from infrastructure tied to tapnetic[.]pro, target Gmail to extract messages (including drafts), and can capture voice transcripts, so affected users should remove suspicious extensions and reset passwords. #AiFrame #Gmail
Keypoints
- LayerX identified the AiFrame campaign comprising 30 malicious Chrome extensions with more than 300,000 combined installs.
- All analyzed extensions share the same code, permissions, and backend infrastructure under tapnetic[.]pro.
- The extensions render remote full-screen iframes to deliver “AI” features, allowing operators to change behavior without updates.
- A subset of 15 extensions inject scripts into mail.google.com to read visible email content and drafts and exfiltrate the text.
- Extensions can use the Web Speech API to capture voice transcripts; users should remove malicious extensions and reset affected account passwords.