Chrome under spotlight as 900,000 users of AI platforms ChatGPT and DeepSeek have been breached and their data stolen as identified by security researchers. This include two malicious Google Chrome extensions masked as productivity tools perfectly designed to collect users’ from their complete chat histories including login credentials.

Legitimate applications are under threat from threat actors as the incident highlights how malicious extension evolving ecosystem, where innocent posing third-party add-ons can bypass platform-level security. This is mainly targeted towards users to exfiltrate sensitive intellectual property and personal data directly from the browser.

Browser Audit for User Safety

Malicious extensions can access and exfiltrate sensitive information such as login credentials, financial information, and personal data.

In any organization, exposure of confidential business information, intellectual property and client data can lead to exposure of data.

We have witnessed how malicious extensions can serve as a vector for deploying malware, including ransomware, spyware and remote access trojans (RATs). Once installed, these can lead to a complete compromise of the organization’s IT infrastructure and more.

Browser hijacking mechanism activates every time someone navigates to a new page.Every time the person visits a website, the extension would:

1. Capture the URL of the page they’re visiting.
2. Send it to a remote server along with a unique ID issued to track the user.
3. Receive potential redirect URLs from server that is in command
4. Automatically redirect your browser if instructed by the C&C server to do so.

What is next step- Strict Enforcement of Least-Privilege Access

Implement least privilege access surpass codifying users and groups in a software system and establishing what resources they are able to access. This includes what functions they are able to perform.

When this process is implemented within their broader identity includes employees of organizations and access management strategy, businesses can ensure that only the right people have the right level of access to the right resources.

The Chrome incident highlighted how important threat actors behavior affects as they shift focus towards security risk from the AI providers’ infrastructure to the user’s own browser environment.

Regular auditing can prevent a situation where users, accounts including processes can be restricted to dangerously accumulate access levels beyond the appropriate scope.

Treat browser extensions as a managed attack surface by enforcing blocking sideloading and revalidating extensions when permissions or ownership change.

Read more on: 𝐒𝐡𝐚𝐝𝐨𝐰 𝐄𝐱𝐭𝐞𝐧𝐬𝐢𝐨𝐧𝐬, 𝐌𝐨𝐬𝐭𝐥𝐲 𝐈𝐃𝐄𝐬 𝐓𝐡𝐫𝐞𝐚𝐭 𝐭𝐨 𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐞𝐫𝐬

Threat researcher’s recently investigated how malicious extensions can easily compromise the machines of millions of developers using Visual Studio Code (VS Code) and AI-powered IDEs such as Cursor AI, Windsurf & Google Antigravity etc.

↕️These tools are streamlined and have high productivity, with discovery of the critical vulnerability developers who unintentionally install these extension’s fall under risk.
VS Code automatically runs extensions at start and updates them in the background.

Sources: https://www.malwarebytes.com/blog/news/2025/07/millions-of-people-spied-on-by-malicious-browser-extensions-in-chrome-and-edge