[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwRFgjU9JVcoZwwjghQVdoldIGG4heXQ7q3UzwLabu9I":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"8ebe9cba-66c1-45c1-9560-e173ce4c7beb","That AI Extension Helping You Write Emails? It’s Reading Them First","that-ai-extension-helping-you-write-emails-it-s-reading-them-first-4b2ec5","Unit 42 uncovers high-risk AI browser extensions. Disguised as productivity tools, they steal data, intercept prompts, and exfiltrate passwords. Protect your browser.","Palo Alto Networks' Unit 42 identified 18 deceptive AI browser extensions marketed as productivity tools that actually deliver remote access Trojans (RATs), infostealers, and man-in-the-middle attacks. These extensions exploit browser privileges to intercept sensitive data including email composition, ChatGPT prompts, passwords, and user sessions. Google has removed or warned owners of these extensions; users are advised to only install from trusted sources and review requested permissions carefully.","Unit 42 discovers 18 malicious AI browser extensions stealing emails, prompts, and passwords.","Threat Research CenterThreat ResearchMalware Malware That AI Extension Helping You Write Emails? It’s Reading Them First 13 min read Related ProductsAdvanced DNS SecurityAdvanced URL FilteringAdvanced WildFireCloud-Delivered Security ServicesPrisma AIRSPrisma BrowserSecure Access Service Edge (SASE)Unit 42 Incident Response By:Shresta Bellary SeetharamNabeel MohamedBilly MelicherOleksii StarovQinge XieFang Liu Published:April 30, 2026 Categories:MalwareThreat Research Tags:AI browserBrowser extensionGenAIInfostealerMalwareRemote Access TrojanSearch hijackerSpyware Share Executive Summary We found 18 AI browser extensions marketed as productivity tools that are not as they seem. This group includes extensions such as: One that surveils your emails as you compose them Another that intercepts ChatGPT prompts A third that exfiltrates passwords Leveraging the rise of generative AI (GenAI), these extensions deliver remote access Trojans (RATs), meddler-in-the-middle (MitM) attacks and infostealers that target prompts, user behavior and browser sessions. Attackers blend the following established techniques with AI productivity lures: API interception Passive Document Object Model (DOM) observation Traffic proxying HTTPS response decryption Multiple samples contained AI-generated code, indicating that threat actors employed large language models (LLMs) to accelerate malware production. We specifically reported 18 high-risk extensions to Google. Google either removed the extensions or sent a warning to the owners of the extensions to address policy violations. Organizations and individual users should exercise caution by sourcing extensions only from trusted providers and adhering to the principle of least privilege. Users must scrutinize requested permissions, as granting broad access to browser data can authorize the interception of sensitive credentials and proprietary session information. Palo Alto Networks customers are better protected from the threats discussed above through the following products and services: Advanced URL Filtering Advanced DNS Security Prisma Browser Advanced WildFire Prisma AIRS If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team. Related Unit 42 Topics GenAI, Infostealer, Remote Access Trojan Examples of Extensions Disguised as AI Tools We identified multiple extensions that appeared to be AI tools delivering RATs and MitM campaigns, which we disclosed via timely threat intelligence (TTI) posts. These include: AI-powered summary extensions exfiltrating sensitive data to low-reputation domains (August 2025) Adware campaigns using hidden iframes (August 2025) Cursor customization extensions delivering potentially unwanted programs (PUPs) (August 2025) Prompt and search hijackers redirecting queries to attacker-controlled domains (September 2025) Most recently, a Model Context Protocol (MCP)-themed RAT targeting AI developers (February 2026) Browser Extensions Expand the Client-Side Attack Surface ​Browser extensions operate within the browser's trusted process with user-granted permissions. They can read and modify web content, intercept network requests, access cookies and communicate with external servers. These capabilities are shared with legitimate tools like ad blockers, password managers and developer tools. Deceptive extensions exploit this privileged position. An extension can override network request APIs before calls leave the page. It can passively monitor DOM changes in targets like Gmail or Notion. It can configure browser proxy settings to route traffic through attacker infrastructure. It can attach the Chrome Debugger Protocol to read decrypted HTTPS response bodies. GenAI amplifies the risk. When users type prompts into AI services, they routinely share proprietary code, draft communications and strategic plans. An extension positioned between the user and an AI service intercepts sensitive data. This data is far more valuable than the browsing metadata targeted by typical browser malware. Our retrospective analysis of detected high-risk extensions revealed the recurring techniques listed in Table 1. Technique Description Technical Characteristics Requires Extension Privilege WebSocket-based C2 channels Persistent bidirectional communication for command dispatch and session management Maintains an open connection that automatically reconnects on network interruption. Persists across browser restarts. Uses standard WebSocket protocol over HTTPS. No. Typical malware can establish WebSocket C2 channels. The extension advantage is appearing as legitimate browser traffic and persistence across browser restarts without process injection. Browser API hooking Intercepting JavaScript API calls before network transmission Replaces browser's native window.fetch or XMLHttpRequest functions. Operates in a JavaScript context before data is encrypted for transmission. No interception-layer traffic required. Yes. Content scripts inject code into the page context with API modification privileges. Typical malware would typically require browser process injection. DOM-based exfiltration Extracting page content through observation rather than network interception Reads content from the rendered page DOM. The extension generates no network requests for data collection. Operates entirely within the browser process. Yes. Content scripts have direct read access to the page DOM. Typical malware would require accessibility APIs, screen scraping or browser process memory access. Dynamic proxy configuration Remote proxy auto-configuration (PAC) script updates for selective traffic routing Downloads and applies proxy configuration from a remote server. Can be updated without extension store approval. Applies routing rules per-domain or per-URL pattern. Partially. Typical malware can modify system proxy settings but lacks the chrome.proxy API for programmatic, extension-scoped, dynamic updates without OS-level permissions. Cross-storage persistence with active restoration Redundant identifier storage across multiple APIs with automated recreation on deletion Stores identifiers in chrome.storage.sync, cookies and localStorage. Monitors storage-change events. Recreates deleted identifiers from remaining copies. Syncs across devices via Chrome profile. Yes. Requires chrome.storage.sync API for cross-device persistence and chrome.cookies.onChanged API for real-time monitoring. Typical malware cannot access these browser-internal storage mechanisms. Misuse of one-time extension events Install-time payload execution via chrome.runtime.onInstalled The code executes once when the extension installs or updates. The event fires before the user interacts with the extension. Does not repeat on subsequent browser sessions. Yes. The chrome.runtime.onInstalled event is extension-specific. No equivalent in typical malware. Table 1. Recurring techniques seen in GenAI high-risk extensions. As GenAI becomes the primary interface for professional and creative workflows, these extensions can potentially gain direct access to sensitive user information. If operated within the same execution context as the AI interface, these extensions pose a significant risk to enterprises. We placed detections from campaigns targeting AI users into six distinct malware categories based on their primary operational objective, as shown below in Figure 1. We derived these categories from manual analysis of extension code and network behavior. Figure 1. Six distinct malware categories observed across the analyzed GenAI browser extensions. The following sections present case studies of these six high-risk GenAI browser extensions. A RAT: MCP Server AI Automation Extension A RAT is malware that grants an attacker complete remote control over a victim's system through a persistent command and control (C2) channel. This case study is for an extension named Chrome MCP Server - AI Browser Control that acts at a RAT. Extension ID","https:\u002F\u002Fbit.ly\u002F3P4J2TB","https:\u002F\u002Funit42.paloaltonetworks.com\u002Fwp-content\u002Fuploads\u002F2026\u002F04\u002FAdobeStock_739390615-1.jpg","2026-05-07T14:00:25+00:00","2026-05-07T15:00:13.737+00:00",9,[18,21,23,26,28,31],{"name":19,"type":20},"Palo Alto Networks","vendor",{"name":22,"type":20},"Google",{"name":24,"type":25},"Chrome browser","product",{"name":27,"type":25},"ChatGPT",{"name":29,"type":30},"Browser extensions","technology",{"name":32,"type":30},"Model Context Protocol (MCP)","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,41],{"category":40},{"id":33,"icon":35,"name":36,"slug":37},{"category":42},{"id":43,"icon":35,"name":44,"slug":45},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[47,50,53],{"type":37,"value":48,"context":49},"RAT (Remote Access Trojan)","Delivered via malicious AI browser extensions for persistent command dispatch and session management",{"type":37,"value":51,"context":52},"Infostealer","Exfiltrates passwords, email content, ChatGPT prompts, and browser session data",{"type":37,"value":54,"context":55},"MitM (Man-in-the-Middle)","Intercepts network traffic via dynamic proxy configuration and HTTPS response decryption"]