AI Browser Extensions Steal Emails, Passwords via Prompt Injection

Executive Summary

Palo Alto Networks Unit 42 has identified a campaign involving over 30 malicious AI-powered browser extensions that masquerade as productivity tools—such as email-writing assistants, grammar checkers, and summarizers—but covertly exfiltrate sensitive data. The extensions intercept user prompts, scrape DOM content including email bodies and passwords, and transmit stolen data to attacker-controlled infrastructure. Unit 42 reported the findings on April 30, 2026, noting that the extensions target Chrome and Edge users and have been distributed through official browser stores as well as third-party sources.

Technical Analysis

According to Unit 42's analysis, the malicious extensions employ a combination of techniques to harvest data. They inject JavaScript into web pages that intercepts user input into AI chat interfaces (e.g., ChatGPT, Claude, Gemini) and captures the prompts and responses. Additionally, the extensions scrape the Document Object Model (DOM) of visited pages—including Gmail, Outlook, and corporate web apps—to extract email content, passwords, and API keys. Some extensions also perform credential harvesting by targeting login forms directly.

The extensions request broad permissions during installation, such as "access to your data on all websites" and "read and change all your data on the websites you visit," which are often accepted by users without scrutiny. Unit 42 researchers noted that the extensions use obfuscated JavaScript to evade static analysis and communicate with command-and-control (C2) servers via encrypted WebSocket connections. The stolen data is exfiltrated in real-time, with some extensions capable of capturing keystrokes and clipboard content.

Unit 42 did not attribute the campaign to a specific threat actor or group, and no CVE identifiers were assigned, as this is a supply-chain abuse campaign rather than a software vulnerability. The researchers emphasized that the extensions are still available in some stores as of publication, though they have reported the findings to Google and Microsoft.

Mitigations & Recommendations

Unit 42 advises users and organizations to audit browser extensions immediately. Remove any extension that requests permissions beyond its stated functionality, particularly those asking for access to all website data. Enterprise defenders should enforce allowlists for approved extensions via group policy and monitor for unusual outbound WebSocket connections. Users should also avoid granting permissions to extensions from unknown developers, and consider using browser profiles with restricted permissions for sensitive activities like email or financial transactions. No vendor patch is available—the mitigation is purely operational.