The LayerX research team has uncovered a coordinated effort involving multiple Chrome extensions promoted as tools to improve ChatGPT usage and overall productivity.
In reality, their primary purpose is to capture and steal users’ ChatGPT login credentials. This operation features at least sixteen different extensions, all created by one threat actor intent on maximizing exposure and reach.
The activity fits into a larger pattern of surging interest in browser add-ons powered by artificial intelligence, which promise to streamline routine tasks for everyday users.
Because these extensions often need profound access to logged-in web services, they significantly broaden the potential points of attack within browsers.
Examination of the extensions reveals a consistent method: they snag ChatGPT authentication tokens during active sessions and send them straight to an external server controlled by the attackers.
With these tokens in hand, the perpetrators gain equivalent access to the victim’s account, unlocking full conversation logs, attached files, and related information.
This enables impersonation of the legitimate user, granting unrestricted viewing and interaction with everything stored in their ChatGPT profile.
Table Of Contents 👉
Malicious ChatGPT Chrome Extension To Remove From Your PC Right Now
Here are the browser extensions you should remove, organized as follows: Name — Publisher — Extension ID.
- ChatGPT bulk delete, Chat manager — ChatGPT Mods — gbcgjnbccjojicobfimcnfjddhpphaod
- ChatGPT export, Markdown, JSON, images — ChatGPT Mods — hljdedgemmmkdalbnmnpoimdedckdkhm
- ChatGPT folder, voice download, prompt manager, free tools — ChatGPT Mods — lmiigijnefpkjcenfbinhdpafehaddag
- ChatGPT message navigator, history scroller — ChatGPT Mods — ifjimhnbnbniiiaihphlclkpfikcdkab
- ChatGPT Mods — Folder Voice Download & More Free Tools — jhohjhmbiakpgedidneeloaoloadlbdj
- ChatGPT pin chat, bookmark — ChatGPT Mods — kefnabicobeigajdngijnnjmljehknjl
- ChatGPT Prompt Manager, Folder, Library, Auto Send — ChatGPT Mods — ioaeacncbhpmlkediaagefiegegknglc
- ChatGPT prompt optimization — ChatGPT Mods — mmjmcfaejolfbenlplfoihnobnggljij
- ChatGPT search history, locate specific messages — ChatGPT Mods — ipjgfhcjeckaibnohigmbcaonfcjepmb
- ChatGPT Timestamp Display — ChatGPT Mods — afjenpabhpfodjpncbiiahbknnghabdc
- ChatGPT Token counter — ChatGPT Mods — hfdpdgblphooommgcjdnnmhpglleaafj
- ChatGPT model switch, save advanced model uses — ChatGPT Mods — pfgbcfaiglkcoclichlojeaklcfboieh
- ChatGPT voice download, TTS download — ChatGPT Mods — območbankihdfckkbfnoglefmdgmblcld (original: obdobankihdfckkbfnoglefmdgmblcld)
- Collapsed message — ChatGPT Mods — lechagcebaneoafonkbfkljmbmaaoaec
- Multi-Profile Management & Switching — ChatGPT Mods — nhnfaiiobkpbenbbiblmgncgokeknnno
- Search with ChatGPT — ChatGPT Mods — hpcejjllhbalkcmdikecfngkepppoknd
Such findings emphasize why organizations must actively track and limit third-party AI extensions, given their ability to quietly extract valuable sensitive data.
Even without targeting flaws in ChatGPT’s own code, the extensions facilitate session takeover and stealthy account compromise, posing serious threats to both security and personal privacy.
At the moment, the entire set has accumulated around 900 total installations—relatively minor when stacked against major past incidents like GhostPoster or the persistent RolyPoly VPN scheme.
That said, the danger level isn’t determined solely by current scale. Extensions optimized for GPT enjoy strong demand, and the Chrome Web Store already hosts plenty of highly rated legitimate alternatives, which can cause users to overlook red flags. One variant even carries a “featured” badge claiming adherence to Google’s best practices for extensions.
A single successful update or tweak could propel one of these malicious tools to widespread use. Our assessment suggests that GPT-enhancing extensions are poised to rival—or possibly surpass—the popularity once held by VPN add-ons. That’s precisely why we’ve moved quickly to publish these details: the aim is to disrupt the operation before it gains serious momentum.
Browser add-ons centered on artificial intelligence have evolved into standard parts of many users’ daily routines, especially for those leveraging generative AI to boost efficiency. These utilities typically demand:
- Integration with verified AI platforms
- Close synchronization with sophisticated single-page web apps
- Higher-than-normal execution privileges inside the browser environment
Consequently, AI-focused extensions occupy a privileged position for monitoring critical in-memory elements, such as authentication details. The mix of elevated permissions, user confidence, and fast-growing adoption turns them into an appealing target for malicious exploitation.
The extensions examined here illustrate precisely how seemingly benign AI assistants can secure ongoing, unauthorized control over user accounts—without relying on software bugs or setting off standard defensive alarms.
Core Mechanism: Capturing and Sending Session Tokens
The main vulnerability exploited throughout this campaign centers on intercepting ChatGPT session tokens.
In nearly every version reviewed (except one outlier), the extensions follow this pattern:
- A content script gets injected directly into chatgpt.com and runs within the page’s primary JavaScript context.
- This script overrides the browser’s window.fetch method, enabling it to inspect all outgoing requests generated by the ChatGPT interface.
When an outgoing request includes an authorization header, the script pulls out the active session token.
A separate content script then picks up this extracted token and forwards it to a remote server under attacker control.
This technique lets the extension’s operators log in to ChatGPT using the victim’s live session credentials, thereby accessing complete chat histories along with any connected services (such as Google Drive, Slack, GitHub, and additional linked sensitive resources).
Running content scripts in the MAIN JavaScript world grants the extension direct engagement with the webpage’s native runtime environment, bypassing Chrome’s usual isolation sandbox for content scripts.
This capability allows the malicious code to:
- Operate in precisely the same context as the target website
- Interact with identical JavaScript objects, methods, and transient memory states
- Intercept or modify core APIs (including window.fetch, XMLHttpRequest, Promise, or app-specific functions)
- Access and alter runtime information that never reaches the network or DOM, such as:
- Pre-transmission authorization headers
- In-memory authentication tokens and session objects
- Frontend framework-managed state variables
Beyond just the ChatGPT token, the exfiltrated payload includes:
- Details about the extension itself (version number, language settings, unique client markers)
- Behavioral tracking logs and usage events
- Any supplementary access tokens issued by the attackers’ backend for extension operations
Collectively, this information supports expanded token privileges, long-term user tracking, pattern analysis of behavior, and sustained connections to linked third-party services.
Together, these elements enable cross-session correlation, routine inference, and persistent access far beyond temporary sessions—greatly amplifying both privacy violations and the overall damage potential from any backend breach or misuse.
Among the sixteen extensions tied to this effort, fifteen appeared on the Chrome Web Store, with the remaining one listed on Microsoft’s Edge Add-ons platform. As of now, every identified extension continues to be downloadable from its respective marketplace.
Individual installation numbers remain modest for most entries, though a few have gained modestly larger audiences. From our standpoint at the publication drawing on LayerX’s findings, timely disclosure should help contain the campaign early and limit its consequences.
Multiple overlapping signs point to these extensions belonging to one unified malicious project rather than unrelated rogue efforts:
- Reuse of the same minified code base across different extension identifiers
- Uniform publisher traits hidden behind varied listings
- Strikingly similar icons, visual styles, and promotional text
- Coordinated batch releases, often launching several on identical dates
- Synchronized version updates applied to groups simultaneously
- Common backend endpoints, with all extensions phoning home to the same domains
- Shared legitimate-sounding features designed to enhance perceived reliability
LayerX’s early identification stemmed from advanced AI-assisted extension scanning combined with detailed code similarity checks.
Key detection strengths included:
- Spotting identical minified code fragments reused in separate extension packages
- Linking add-ons that exhibit virtually matching runtime actions, even under different names and claimed purposes
- Detecting coordinated rollout tactics, where clusters of functionally similar extensions launch and receive updates in lockstep
These patterns allowed clustering the items into a single threat campaign well before broad distribution, underscoring the value of forward-looking monitoring in the rapidly expanding browser extension landscape tied to AI advancements.
With AI integration deepening in both corporate and individual settings, any browser extension that interfaces with authenticated AI environments deserves classification as high-risk software requiring strict evaluation and oversight.
Other Stories You May Like