Urgent Security Alert: Uninstall These 30 "AI" Extensions Now
3 min. read 
Updated on
A new spyware campaign involving 30 malicious Google Chrome extensions has compromised over 300,000 users by posing as popular AI tools like ChatGPT and Gemini. These extensions, collectively dubbed the “AiFrame” campaign, are actively stealing sensitive data, including Gmail emails, drafts, and voice recordings.
If you have installed extensions named “AI Sidebar,” “AI Assistant,” “ChatGPT Translate,” or others listed below, you must remove them immediately. The attackers use these tools to bypass browser security and exfiltrate your data to a remote server. After uninstallation, it is critical to reset your passwords, particularly for Google accounts.
The “AiFrame” Attack: How It Works
Researchers at the browser security firm LayerX discovered this campaign and identified that all the extensions communicate with a single command-and-control domain: tapnetic[.]pro.
Unlike legitimate extensions that process data locally or via official APIs, the AiFrame extensions use a deceptive technique. They open a full-screen “iframe” (a webpage within a webpage) to load content from the attacker’s server. This allows the developers to change the extension’s behavior at any time without submitting a new update for Google’s review.
“The malicious browser add-ons do not implement AI functionality locally; instead, they deliver the promised feature by rendering a full-screen iframe to load content from a remote domain.” LayerX Research Team
Stealing Your Gmail Data
The most dangerous capability of these extensions is their ability to read your emails. They utilize a specific script that runs solely on mail.google.com. By leveraging Mozilla’s open-source Readability library, the extensions strip away the clutter of the Gmail interface and extract the pure text of your email threads.
This data including your private conversations and unfinished drafts—is then transmitted to the attackers.
List of Malicious Extensions
The following table lists the most widely installed extensions from this campaign. Check your browser for these names or IDs.
| Extension Name | Extension ID | Impacted Users |
| Gemini AI Sidebar | fppbiomdkfbhgjjdmojlogeceejinadg | ~80,000 |
| AI Sidebar | gghdfkafnhfpaooiolhncejnlgglhkhe | ~70,000 |
| AI Assistant | nlhpidbjmmffhoogcennoiopekbiglbp | ~60,000 |
| ChatGPT Translate | acaeafediijmccnjlokgcdiojiljfpbe | ~30,000 |
| AI GPT | kblengdlefjpjkekanpoidgoghdngdgl | ~20,000 |
| ChatGPT | llojfncgbabajmdglnkbhmiebiinohek | ~20,000 |
| Google Gemini | fdlagfnfaheppaigholhoojabfaapnhb | ~10,000 |
Voice Recording and Evasion
In addition to text theft, the extensions abuse the Web Speech API to record audio. While this feature is advertised as “voice-to-text” for AI prompts, the audio data is sent directly to the attackers.
This campaign is particularly difficult to detect because the extensions mimic legitimate AI functionality. Users believe they are getting a helpful sidebar for their workflow, while the malware operates silently in the background.
Frequently Asked Questions
Open Chrome and type chrome://extensions in your address bar. Locate any extension matching the names or IDs above, click Remove, and confirm the uninstallation.
It is highly likely that your session cookies and some email data have been compromised. You should log out of all active web sessions and change your Google password immediately. Enable 2-Factor Authentication (2FA) if you have not done so already.
While Google removes malicious extensions once detected, attackers often re-upload them with slightly different names or IDs. Always verify the publisher’s email address before installing; for this campaign, the email [email protected] is a known indicator of compromise.
The Extension ID is a 32-character string found in the URL of the extension’s Chrome Web Store page. You can also see it in your browser’s extension manager by enabling “Developer mode.”
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages