16 malicious Chrome browser extensions that pose as ChatGPT productivity enhancers were part of a coordinated campaign. These add-ons, which are advertised as improving AI interactions, steal users' ChatGPT session tokens covertly, giving hackers complete account access, including conversation histories and linked data sources like GitHub or Google Drive. The extensions take advantage of the growing need for AI tools and were all created by the same threat actor.

Since the Chrome Web Store is overflowing with genuine ChatGPT enhancers, these imitations blend in perfectly. Some even display a "featured" badge that claims to follow Chrome best practices. Approximately 900 downloads have been made thus far, which is a small number when compared to previous campaigns like GhostPoster or RolyPoly VPN. LayerX cautions that this could blow up and advises businesses to limit third-party AI extensions before they reach a critical mass.

By inserting content scripts into chatgpt.com, these extensions target ChatGPT's authenticated web application. They have native access to the page's runtime because they are operating in the browser's MAIN JavaScript world rather than Chrome's isolated environment. This enables them to intercept outgoing requests by hooking important APIs like window.fetch.

The script retrieves the session token as soon as a request with an authorization header appears. It is then exfiltrated to a shared remote server by a secondary script, along with backend tokens, usage telemetry, and extension metadata. The stolen token is used by attackers to read chats, metadata, and associated services without setting off alarms, as well as for persistent impersonation. This technique sidesteps vulnerabilities in ChatGPT itself, relying on session hijacking.

It highlights AI extensions’ risks: they demand deep integration with single-page apps, elevated privileges, and user trust.

The proliferation of AI tools for productivity increases the attack surface of the browser by monitoring sensitive in-memory data that is not visible to conventional security. By using AI-driven code similarity analysis to identify shared minified codebases, identical icons, batch uploads, and the same backend domain across variants, LayerX was able to identify the campaign early on. Execution of the Main World and Fetch Hooking The main exploit develops in stages: The content script overrides window.fetch by injecting into the MAIN world of chatgpt.com.

It keeps an eye on requests and uses tokens to capture auth headers. For C2 exfiltration, the token is sent to a peer script. According to LayerX, this provides "account-level access equivalent to the user." Beyond tokens, session correlation and user profiling are made possible by leaked data.

One variation follows the same pattern but omits complete interception.

Visual Parallels (Source: Layerxsecurity) One popular Microsoft Edge add-on, distributed primarily through the Chrome Web Store (15 of 16). As of publication, all are still active.

Compromise Indicators LayerX shared complete IOCs for removal: ID. Name of Extension Lmiigijnefpkjcenfbinhdpafehaddag is installed. ChatGPT Mods 605 obdobankihdfckkbfnoglefmdgmblcld: ChatGPT folder, voice download, prompt manager, and free tools ChatGPT Mods 156 kefnabicobeigajdngijnnjmljehknjl ChatGPT pin chat, bookmark ChatGPT Mods 18 ifjimhnbnbniiiaihphlclkpfikcdkab ChatGPT Mods 11 pfgbcfaiglkcoclichlojeaklcfboieh message navigator, history scroller ChatGPT Mods 11 hljdedgemmmkdalbnmnpoimdedckdkhm ChatGPT export, Markdown, JSON, and images ChatGPT Mods 10 afjenpabhpfodjpncbiiahbknnghabdc ChatGPT model switch, save advanced model uses ChatGPT Mods 13 gbcgjnbccjojicobfimcnfjddhpphaod ChatGPT bulk delete, ChatGPT Timestamp Display ChatGPT Mods 11 ipjgfhcjeckaibnohigmbcaonfcjepmb ChatGPT search history, find particular messages 11 mmjmcfaejolfbenlplfoihnobnggljij ChatGPT prompt optimization – ChatGPT Mods 10 lechagcebaneoafonkbfkljmbmaaoaec Collapsed message – ChatGPT Mods 13 nhnfaiiobkpbenbbiblmgncgokeknnno Multi-Profile Management & ChatGPT Mods 0 hpcejjllhbalkcmdikecfngkepppoknd Search with ChatGPT - ChatGPT Mods 0 hfdpdgblphooommgcjdnnmhpglleaafj ChatGPT Prompt Manager, Folder, Library, Auto Send, ChatGPT Mods 5 ioaeacncbhpmlkediaagefiegegknglc ChatGPT Token counter 5 jhohjhmbiakpgedidneeloaoloadlbdj ChatGPT Mods: Folder Voice Download & Additional Free Resources 17