Malicious Browser Extensions Spoofing AI Sidebars for Credential Theft
SquareX researchers have uncovered a new attack method in which malicious browser extensions impersonate trusted AI sidebar interfaces in popular browsers. These extensions create pixel-perfect replicas of legitimate AI sidebars, such as those found in browsers like Comet, Brave, and Edge, to deceive users into following harmful AI-generated instructions. The spoofed sidebars are used to trick users into executing commands that can result in credential theft, device hijacking, and password exfiltration.
The attack exploits the high level of trust users place in AI browser interfaces, making it difficult for even security-conscious individuals to distinguish between genuine and malicious sidebars. In one documented case, a user seeking to withdraw cryptocurrency was directed by the fake sidebar to a phishing site instead of the legitimate Binance login page, leading to the compromise of their credentials. SquareX warns that this attack vector is likely to evolve, with more variants expected as attackers continue to exploit the widespread adoption of AI-powered browser features.
Timeline
Oct 23, 2025
Researchers recommend browser guardrails and dynamic extension analysis
Alongside the disclosure, SquareX recommended mitigations including dynamic analysis of extension behavior and browser-native guardrails to better detect and block malicious sidebar impersonation. The guidance emphasized that static permission review alone may not reveal these threats.
Oct 23, 2025
SquareX publishes PoC and attack scenarios showing user compromise risks
SquareX disclosed proof-of-concept demonstrations and case studies showing spoofed AI sidebars could trick users into visiting phishing pages or running harmful commands. The reported impacts included credential theft, password exfiltration, device hijacking, account compromise, and potential ransomware deployment.
Oct 23, 2025
SquareX uncovers AI sidebar spoofing attack via malicious extensions
SquareX identified a new attack technique in which malicious browser extensions impersonate trusted AI sidebar interfaces in browsers such as Comet, Brave, Edge, Firefox, and Safari. The research showed the fake sidebars can appear visually indistinguishable from legitimate ones while requiring only basic extension permissions, making detection difficult.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
1 more from sources like cso online
Related Stories
Attacks Exploiting AI Browser and IDE Integrations via Malicious Servers and Sidebar Spoofing
Security researchers have demonstrated new attack methods targeting AI-powered browsers and integrated development environments (IDEs) by exploiting their integration with external servers and AI sidebars. In one case, a proof-of-concept attack showed that a rogue Model Context Protocol (MCP) server could inject malicious JavaScript into Cursor’s built-in browser, allowing attackers to replace login pages, harvest credentials, and potentially compromise the victim’s workstation by leveraging the IDE’s privileges. The attack leverages the client-server architecture of MCP, which is increasingly used in AI agent workflows, and highlights the risks of using unvetted or custom MCP servers in developer environments. Separately, researchers have revealed an "AI sidebar spoofing" technique that targets AI browsers such as Comet by Perplexity and Atlas by OpenAI. This attack exploits users’ trust in AI-generated instructions by manipulating the AI sidebar interface, potentially leading to credential theft or other malicious outcomes. Both attack vectors underscore the expanding attack surface introduced by AI integrations in browsers and development tools, and the need for heightened scrutiny of third-party server integrations and user interface trust boundaries in AI-powered applications.
1 months ago
SquareX Research Reveals Critical Security Vulnerabilities in AI Browsers
SquareX has published research highlighting significant security vulnerabilities in AI-powered web browsers, raising concerns for enterprises and consumers as these browsers gain widespread adoption. The research demonstrates that AI browsers, such as Comet, can be easily manipulated by attackers due to their task-oriented design and lack of inherent security awareness. Attackers can exploit these browsers to perform OAuth attacks, which can result in unauthorized access to sensitive enterprise SaaS applications, including email and cloud storage services like Google Drive. In one documented case, an AI browser was tricked into granting attackers full access to a victim's email and Google Drive, enabling the exfiltration of all files, including those shared by colleagues and customers. The vulnerabilities also extend to the distribution of malware and malicious links, as AI browsers can be convinced to download and execute harmful files as part of their automated workflows. SquareX warns that as major technology companies such as OpenAI, Microsoft, Google, and The Browser Company enter the AI browser market, the risk surface will expand dramatically. With Chrome and Edge accounting for 70% of the browser market, the transition to AI browsers could put millions of users at risk if security guardrails are not implemented. The research emphasizes the need for browser-native solutions that incorporate agentic identity and data loss prevention (DLP) tailored to the unique behaviors of AI agents. SquareX's findings suggest that without such measures, attackers will continue to find it trivial to bypass security controls by exploiting the automation and decision-making capabilities of AI browsers. The report also notes that AI browsers are likely to become the primary interface for internet use in the near future, making the urgency of addressing these vulnerabilities even greater. Enterprises are advised to prepare for these emerging threats by evaluating the security posture of AI browsers before widespread deployment. The research calls for industry collaboration to develop standards and best practices for securing AI-driven browsing environments. SquareX's technical blog provides detailed case studies illustrating the real-world impact of these vulnerabilities, underscoring the practical risks faced by organizations. The disclosure has prompted discussions within the cybersecurity community about the need for proactive defense strategies as AI technologies become more deeply integrated into everyday tools. Security experts echo SquareX's concerns, warning that the rapid adoption of AI browsers without adequate safeguards could lead to large-scale data breaches and malware outbreaks. The research serves as a wake-up call for both browser developers and enterprise security teams to prioritize the development and deployment of robust security mechanisms for AI-powered browsing platforms.
1 months ago
Malicious Chrome Extensions Impersonate AI Assistants and Crypto Wallets to Steal Sensitive Data
Microsoft reported a campaign of **malicious Chromium-based browser extensions** masquerading as legitimate AI assistant tools to **harvest LLM chat histories and browsing data**, with reporting suggesting ~**900,000 installs** and Microsoft Defender telemetry indicating activity across **20,000+ enterprise tenants**. The extensions collected full URLs and chat content from services including **ChatGPT** and **DeepSeek**, creating a high-risk data leakage path for proprietary code, internal workflows, and strategic discussions; Microsoft also noted cases where “agentic” browsers auto-downloaded these extensions, reducing user friction and increasing exposure. Separately, Socket documented a **fake imToken** Chrome extension (`bbhaganppipihlhjgaaeeeefbaoihcgi`) that posed as a benign “hex color visualizer” but functioned as a **phishing redirector**: on install and on click it opened attacker-controlled pages, pulling a destination URL from `jsonkeeper[.]com/b/KUWNE` and sending victims to `chroomewedbstorre-detail-extension[.]com` to solicit **12/24-word seed phrases** or **private keys** for wallet takeover. A Kaspersky post focused on consumer guidance for disabling unwanted AI features and broadly warned about privacy/security risks from pervasive AI assistants (including mention of insecure third-party “personal agent” setups), but it did not provide corroborated details tied to the specific malicious-extension campaigns described by Microsoft and Socket.
2 days ago