As legitimate AI tooling has expanded — particularly tools that “enhance” or extend ChatGPT — so too has the opportunity for attackers to exploit that trust and integration to compromise user accounts. This trend aligns with broader observations that AI extensions are a growing but under-secured attack surface capable of exposing authentication artifacts and sensitive runtime data.
Campaign Overview: What Was Discovered
In late January 2026, Research identified a coordinated campaign involving at least 16 distinct Chrome browser extensions that were marketed — often deceptively — as ChatGPT enhancement or productivity tools. In reality, these extensions were developed with a cohesive malicious intent: to silently harvest authenticated session tokens from users and transmit them to a remote attacker-controlled backend.
Key Characteristics:
- Threat Actor Coordination: Although published under different names and extension IDs, all 16 extensions shared a common minified codebase, similar branding characteristics, and coordinated timelines — strongly indicating single threat actor orchestration.
- Distribution Channels: Fifteen of the malicious extensions were published in the Chrome Web Store; one was found on the Microsoft Edge Add-Ons marketplace. At the time of disclosure, all were still live in their respective marketplaces — amplifying exposure.
- Low Visibility but High Impact Potential: Together the extensions had around 900 reported downloads at discovery — low relative to other large malicious extension campaigns — but even this early distribution presented a serious privacy and security risk.
Technical Analysis: How the Extensions Operate
Understanding the precise mechanics of how these extensions capture and exfiltrate sensitive authentication data is critical. The attack does not exploit a vulnerability in ChatGPT itself but abuses the way browser extensions can interact with authenticated web applications.
1. Session Token Interception via fetch() Hooking
The foundation of the malicious behavior lies in how the extensions intercept authenticated requests from the ChatGPT web interface:
- The extension injects a content script into
chatgpt.com, executing in the main JavaScript execution context of the page. - Within this context, the extension wraps the browser’s native
window.fetchfunction (and in some variants, other request mechanisms likeXMLHttpRequest), enabling it to observe outbound HTTP requests initiated by the ChatGPT web app. - When an outgoing request includes an authorization header (i.e., a live ChatGPT session token), the extension extracts this token and forwards it to a third-party backend controlled by the threat actor.
This method allows the attacker to obtain authentication tokens equivalent to a logged-in session, giving them effective access to the user’s account without having to break or crack their password.
Session Token Exfiltration Workflow (Simplified)
- Inject content script into chatgpt.com.
- Hook the browser’s
fetch()API. - Detect authorization headers in outbound requests.
- Extract session token.
- Transmit token to attacker backend.
This operational chain ensures that extortion of account credentials happens entirely through “normal” web behavior, avoiding the need for malware installation or exploit kits.
Execution Context: Why This Is Particularly Dangerous
Malicious extension content scripts execute in high-privilege contexts, enabling them to:
- Interact directly with the same JavaScript objects and in-memory state as the web application, giving them far more access than ordinary web page scripts.
- Observe and intercept authentication tokens before they leave the browser.
- Manipulate extension behavior without ever triggering conventional endpoint protections or network intrusion detection tools.
This combination — main execution context + authentication visibility + network egress control — makes this class of attack difficult to detect and extremely stealthy.
Data Exposure Beyond Tokens
In addition to capturing ChatGPT session tokens, the malicious extensions also transmit:
- Extension metadata (version, locale, unique client identifiers)
- Telemetry and usage data that can establish user behavior profiles
- Backend-issued access tokens related to the extension itself
These additional data streams can help attackers maintain persistent access, correlate multiple sessions, and build profiles for further exploitation.
Indicators of a Coordinated Campaign
Several structural similarities between all 16 variants helped LayerX researchers cluster them into a single campaign:
- Shared, highly similar minified JavaScript payloads
- Matching iconography and branding patterns
- Overlapping update timelines and batch publishing behavior
- Common backend communication domains and infrastructure usage
These indicators suggest not random independent development, but strategic, repeatable deployment by a single threat actor seeking to diversify distribution while reusing malicious infrastructure.
Indicators of Compromise (IOCs)
| Extensions ID | Extension Name | Installs |
| lmiigijnefpkjcenfbinhdpafehaddag | ChatGPT folder, voice download, prompt manager, free tools – ChatGPT Mods | 605 |
| obdobankihdfckkbfnoglefmdgmblcld | ChatGPT voice download, TTS download – ChatGPT Mods | 156 |
| kefnabicobeigajdngijnnjmljehknjl | ChatGPT pin chat, bookmark – ChatGPT Mods | 18 |
| ifjimhnbnbniiiaihphlclkpfikcdkab | ChatGPT message navigator, history scroller – ChatGPT Mods | 11 |
| pfgbcfaiglkcoclichlojeaklcfboieh | ChatGPT model switch, save advanced model uses – ChatGPT Mods | 11 |
| hljdedgemmmkdalbnmnpoimdedckdkhm | ChatGPT export, Markdown, JSON, images – ChatGPT Mods | 10 |
| afjenpabhpfodjpncbiiahbknnghabdc | ChatGPT Timestamp Display – ChatGPT Mods | 13 |
| gbcgjnbccjojicobfimcnfjddhpphaod | ChatGPT bulk delete, Chat manager – ChatGPT Mods | 11 |
| ipjgfhcjeckaibnohigmbcaonfcjepmb | ChatGPT search history, locate specific messages – ChatGPT Mods | 11 |
| mmjmcfaejolfbenlplfoihnobnggljij | ChatGPT prompt optimization – ChatGPT Mods | 10 |
| lechagcebaneoafonkbfkljmbmaaoaec | Collapsed message – ChatGPT Mods | 13 |
| nhnfaiiobkpbenbbiblmgncgokeknnno | Multi-Profile Management & Switching – ChatGPT Mods | 0 |
| hpcejjllhbalkcmdikecfngkepppoknd | Search with ChatGPT – ChatGPT Mods | 0 |
| hfdpdgblphooommgcjdnnmhpglleaafj | ChatGPT Token counter – ChatGPT Mods | 5 |
| ioaeacncbhpmlkediaagefiegegknglc | ChatGPT Prompt Manager, Folder, Library, Auto Send – ChatGPT Mods | 5 |
| jhohjhmbiakpgedidneeloaoloadlbdj | ChatGPT Mods – Folder Voice Download & More Free Tools | 17 |
Domains
- chatgptmods.com
- Imagents.top
Emails : support@imagents[.]top
Security & Privacy Implications
Once an attacker possesses a live ChatGPT session token, they can:
- Impersonate the user within the AI platform
- Access all chat history, stored metadata, and conversation content
- Leverage linked third-party services (GitHub, Google Drive, Slack) via connected OAuth sessions accessible through ChatGPT integrations
- Potentially extract sensitive data such as business strategy, code snippets, or personal identifiable information (PII) from chat logs and associated tools
This represents a full account compromise, not merely a local privacy breach.
Mitigations and Defensive Recommendations
Given the stealthy nature of these attacks, traditional antivirus and network detection systems may not detect them. Effective defense requires:
- Rigorous enterprise extension policy enforcement — only sanctioned extensions should be permitted.
- Behavior-based extension monitoring — flagging extensions that inspect network requests or exfiltrate data.
- User awareness training — recognizing that even high-rated or “featured” extensions can be malicious.
Enterprise defenders should treat AI-integrated extensions that require elevated privileges as high-risk software and subject them to additional scrutiny before deployment in corporate environments.
Conclusion
The discovery of this 16-extension campaign exposes a potent and evolving threat: malicious extensions hijacking authenticated sessions to compromise user accounts without malware, exploits, or visible disruptions. It highlights the need for greater scrutiny in extension ecosystems, stronger vetting by browser stores, and proactive monitoring by security teams — especially as AI tooling becomes more deeply embedded in enterprise and consumer workflows.
