Blog
We’re glad you’re here!
Breathe deeply, grab your preferred coffee mug, and look through our blog.
Fake AI Extensions Steal Personal Data For Years
Hazel Nguyen
March 5, 2026
More than 30 Chrome extensions posing as AI tools have been removed after researchers found they were stealing users’ API keys, email data, browsing information, and session tokens, according to reports from The Register and Fox News.
What do these extensions do?
Several of the extensions impersonated popular AI chatbots and productivity tools. They were marketed as helpers that could summarize pages or provide chatbot-style responses inside the browser. Instead, they injected malicious scripts that captured sensitive data from both consumer and enterprise users once installed.
Security analysts found that some extensions logged keystrokes, scraped authenticated web pages, and extracted login information. Others harvested credentials for third-party services, including API keys used by developers and companies.
The Phantom Shuttle Case
Researchers also highlighted a related incident known as the Phantom Shuttle case. According to Bleeping Computer and security researchers, both extensions have been active since at least 2017. They were published under the same developer identity and marketed to foreign trade workers who needed to test internet connectivity from different regions. The extensions were subscription-based, with prices ranging from $1.40 to $13.60, and their descriptions initially appeared legitimate.
The investigation showed that Phantom Shuttle rerouted all user traffic through attacker-controlled proxy servers using hardcoded credentials hidden inside what looked like a normal jQuery library. The attackers also used a custom encoding scheme to conceal those credentials. After installation, the extensions intercepted HTTP authentication challenges across any visited site and dynamically reconfigured Chrome’s proxy settings to ensure all requests were forced through their infrastructure.
In its default “smarty” mode, Phantom Shuttle targeted traffic from more than 170 domains, including major developer platforms, cloud dashboards, social networks, and adult sites, while intentionally excluding local networks and its own command-and-control server. Acting as a man-in-the-middle, the extensions were able to collect credentials, payment details, personal information, session cookies, and API tokens directly from user traffic. After confirmation of the malicious activity, Google removed both Phantom Shuttle extensions from the Chrome Web Store.
Problematic Extensions List:
Here is the list of all the add-ons with this problem:
- AI Assistant
- Llama
- Gemini AI Sidebar
- AI Sidebar
- ChatGPT Sidebar
- Grok
- Asking ChatGPT
- ChatGBT
- Chat Bot GPT
- Grok Chatbot
- Chat With Gemini
- XAI
- Google Gemini
- Ask Gemini
- AI Letter Generator
- AI Message Generator
- AI Translator
- AI For Translation
- AI Cover Letter Generator
- AI Image Generator ChatGPT
- Ai Wallpaper Generator
- Ai Picture Generator
- DeepSeek Download
- AI Email Writer
- Email Generator AI
- DeepSeek Chat
- ChatGPT Picture Generator
- ChatGPT Translate
- AI GPT
- ChatGPT Translation
- ChatGPT for Gmail
The scale of exposure is notable. Certain extensions accumulated more than 300,000 downloads before being identified and removed from the Chrome Web Store. Investigators say the tools used familiar AI-themed branding, which helped them spread quickly during a period of rapid adoption of browser-based AI assistants.
Google has removed the malicious extensions and urged users to check their installed add-ons for any unfamiliar tools. Users who installed the affected extensions are advised to revoke API keys, reset passwords, and review account activity for unauthorized access.
WRITE A COMMENT