Chrome Web Store Plagued by AI-Themed Spyware Extensions

Security researchers have identified a concerning trend of malicious browser add-ons masquerading as artificial intelligence tools on Google's extension marketplace. Over 30 deceptive extensions have been found targeting more than 260,000 users, all designed to steal sensitive information from Gmail accounts and track browsing activities.

The investigation by cybersecurity firm LayerX revealed these fraudulent extensions share identical technical infrastructure despite using different names and visual branding. Some extensions even received "featured" status in the Chrome Web Store, lending them an air of legitimacy that helped facilitate their widespread adoption.

Rather than providing genuine AI functionality, these extensions serve as gateways to remote interfaces hosted on suspicious domains. The attackers employ a technique called "extension spraying" - distributing their malware across multiple listings to maintain persistence even if individual extensions are removed.

The technical architecture of these malicious tools is particularly sophisticated. Upon installation, they inject full-screen overlays into users' browsers that appear on every website visited. This design allows attackers to bypass Chrome's security review process, as they can modify the extension's behavior remotely without submitting updates to the store.

Each extension communicates with a unique subdomain of tapnetic[.]pro, customized to match the theme of the AI assistant it claims to be. Behind a facade of legitimate marketing content, this domain infrastructure coordinates data extraction operations.

The security implications are severe. These extensions can access page content through readability libraries, capture voice input, receive real-time instructions from attacker servers, and silently extract data from authenticated sessions - including potentially sensitive information from internal corporate systems and personal accounts.

A concerning wave of malicious extensions has emerged on the Chrome Web Store, specifically targeting Gmail users. These extensions covertly inject scripts into mail.google.com by utilizing document_start triggers, allowing them to manipulate the page’s DOM and extract sensitive email content. This includes entire email threads, drafts, and reply messages, which are then transmitted to remote servers operated by cybercriminals whenever users engage with features like auto-summaries or AI-generated responses.

To ensure persistence despite interface updates, these extensions employ techniques such as DOM mutation observers and continuous polling loops, enabling them to remain active even as Gmail’s layout changes. They cleverly disguise themselves as legitimate productivity tools, all the while secretly siphoning off confidential communication data and sending it to third-party servers.

Efforts to evade detection are ongoing, with some extensions being swiftly removed from the Chrome Web Store; for example, the “Gemini AI Sidebar” was taken down on February 6, 2025. However, within just weeks, a clone version with a different ID, but identical code and backend links, was uploaded, making it difficult to eradicate these threats entirely.

Among the most frequently downloaded malicious extensions involved in this campaign are:

• AI Assistant, with approximately 50,000 installs (ID: nlhpidbjmmffhoogcennoiopekbiglbp)
• Gemini AI Sidebar, boasting around 80,000 installs (ID: fppbiomdkfbhgjjdmojlogeceejinadg)
• Re-uploaded AI Sidebar, also with about 50,000 installs (ID: gghdfkafnhfpaooiolhncejnlgglhkhe)
• ChatGPT Sidebar, with roughly 10,000 installs (ID: llojfncgbabajmdglnkbhmiebiinohek)
• Google Gemini, at approximately 7,000 installs (ID: fdlagfnfaheppaigholhoojabfaapnhb)
• ChatGBT, with about 1,000 installs (ID: pgfibniplgcnccdnkhblpmmlfodijppg)
• Ask Gemini, also around 1,000 installs (ID: gnaekhndaddbimfllbgmecjijbbfpabc)
• DeepSeek Chat, with roughly 1,000 installs (ID: gohgeedemmaohocbaccllpkabadoogpl)
• ChatGPT Translate, installed by approximately 30,000 users (ID: acaeafediijmccnjlokgcdiojiljfpbe)
• AI GPT, with about 20,000 installs (ID: kblengdlefjpjkekanpoidgoghdngdgl)
• ChatGPT Translation, around 1,000 installs (ID: idhknpoceajhnjokpnbicildeoligdgh)
• ChatGPT for Gmail, with an estimated 1,000 installs (ID: fpmkabpaklbhbhegegapfkenkmpipick)

Users who have installed any of these suspicious extensions should immediately remove them, reset their passwords, and assume that their Gmail communications may have been compromised. Vigilance is crucial to protect personal and sensitive data from ongoing cyber threats.

Why People Need VPN Services to Unblock Porn

In today's digital landscape, many individuals turn to VPN services to unblock porn due to various restrictions imposed by governments, ISPs, or regional regulations. These virtual private networks offer a solution by masking users' IP addresses and encrypting their internet traffic, effectively bypassing geo-restrictions while providing necessary privacy and anonymity for accessing adult content. Porn unblocked through VPNs allows users to avoid bandwidth throttling often imposed by ISPs on adult websites, while also providing a safer browsing experience even on public Wi-Fi networks where personal data might otherwise be vulnerable.

Why Choose SafeShell VPN to Access Adult Content

If you're looking to unblock porn sites and access region-restricted adult content, SafeShell VPN offers a comprehensive solution that prioritizes both accessibility and privacy. This powerful VPN service enables users to bypass geographical restrictions while maintaining complete anonymity, ensuring that your personal browsing activities remain confidential and secure from potential surveillance.

SafeShell VPN stands out with its exceptional features designed specifically for users seeking unrestricted access. The service boasts lightning-fast connection speeds that don't compromise security, making it ideal for streaming high-definition content without frustrating buffering issues. Additionally, its innovative App Mode allows users to access content from multiple regions simultaneously, eliminating the need to constantly switch between servers when exploring different unblock porn sites.

Beyond just access, SafeShell VPN provides robust protection through its exclusive ShellGuard protocol, which creates an impenetrable shield around your browsing activities. This advanced encryption system effectively prevents monitoring from ISPs and network administrators, giving you peace of mind while accessing sensitive content. With support for up to five devices simultaneously across various platforms including Windows, iOS, Android, and smart TVs, SafeShell VPN ensures comprehensive protection across all your devices, making it the ideal choice for users seeking both privacy and unrestricted access to adult content.

How to Use SafeShell VPN to Unlock Porn Sites

To use SafeShell VPN for watching porn content from any region, begin by subscribing to SafeShell VPN through their official website, where you can select a plan tailored to your needs. Next, download and install the SafeShell app on your preferred device(s) to ensure smooth operation. Once installed, enable the App Mode feature to maximize your access flexibility and security. Then, choose a server location from SafeShell VPN's extensive global network to mask your real IP address and appear as if you are browsing from the desired region. Finally, connect to the selected server and browse the internet with complete privacy, enjoying unrestricted access to adult content from any location with the confidence that your identity remains protected.