CyberWire Daily - Your AI sidekick might be a spy. [Research Saturday]
Episode Date: March 14, 2026This week, we are joined by Or Eshed, Co-Founder and CEO from LayerX Security, discussing their work on "How We Discovered A Campaign of 16 Malicious Extensions Built to Steal ChatGPT Accounts." Resea...rchers uncovered a coordinated campaign of 16 malicious browser extensions posing as ChatGPT productivity tools while secretly stealing user accounts. The extensions intercept ChatGPT session authentication tokens and send them to attacker-controlled servers, allowing threat actors to impersonate users and access their conversations, files, and connected services like Google Drive or Slack. The findings highlight how AI-focused browser extensions are creating a new attack surface, emphasizing the need for organizations to closely monitor and restrict third-party AI tools. The research can be found here: How We Discovered A Campaign of 16 Malicious Extensions Built to Steal ChatGPT Accounts Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
If you're defending a network today, there's a simple question worth asking.
What does the attackers see when they look at your organization?
Nord Stellar helps answer that.
Nord Stellar is a threat exposure management platform
that gives security teams visibility into external risks,
including leaked credentials, active session tokens,
impersonation attempts, and exposed assets
across the surface web and the dark web.
It's built to help organizations detect the consequences of breaches early
before attackers turn access into action.
From monitoring for InfoSteeler malware logs to identifying cyber squatting and brand abuse,
Nordsteller helps teams focus on the threats that actually matter.
Executives get clear, actionable insights tied to business risk.
Security teams get real-time alerts,
and one of the largest deep and dark web intelligence pools in the industry.
Cybercriminals may already be looking for your weak spots.
Don't make it easy for them.
Be the one that's prepared.
Defend your business with Nord Stellar.
Use the code CyberWire 10 to unlock your exclusive discount.
Go to Nordstellar.com slash Cyberwire Daily and learn more.
Hello everyone and welcome to the Cyberwires Research Saturday.
I'm Dave Bittner.
is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
I think what was interesting here is the scope and motivation of the attacker behind this,
which is a very well-coordinated and orchestrated campaign.
That's all its purpose is actually to steal Chachapit accounts.
That's Orr-Ashed, co-founder and CEO at Layer X.
security. The research we're discussing is titled How We Discovered a campaign of 16 malicious
extensions built to steal chat gbt accounts. Within Larex, we're a browse security company,
we have millions of browsers to be secure, but also a collaboration with Google. So actually,
where one of the sandboxes Google is using, so I have a pretty good database, probably the largest
in the world. One of the things that we do on our database is conducting threat hunt campaigns.
So we're taking TTPs or do attribution.
So basically, there are all kinds of extensions out there.
Malicious extensions are not behaving the same way malware works.
So there are different ways to analyze them.
We've built our own platform for that.
We call it the Lyrics Malware Lab,
in which we find clusters of extensions that seem similar to one another.
Within that scope, we've detected a first malicious extension within this campaign.
Afterwards, the attribution is happening automatically.
What's interesting was to see a very,
coordinated campaign that's aimed at stealing chat GPT accounts.
So unlike other methods to discover, we are trying to get things when the blast radius is relatively
low.
So upon an extension of infancy, what it means is once we detect some sort of a mechanism
that the malicious extension is using, since we have visibility into the entire marketplace
through Google, we can catch extensions as they come to the marketplace and not once
the infect user browser.
So you basically have to get to the marketplace, then to do the infect.
I think what was interesting here is the scope and motivation of the attacker behind this,
which is a very well-coordinated and orchestrated campaign.
That's all its purpose is actually to steal chatypT accounts.
Well, I mean, let's start off there.
At a high level, what was it that these extensions claim to do, and what were they actually doing instead?
So they claim to be productivity tools for AI, and that makes sense because of, you know,
A, they want to make sure that the heat uses with extensive chat chvt usage.
Secondly, they inject a lot of code into chat cheptis,
so that also provides evasion within the chatypT,
within the marketplace sandboxing capabilities.
So you just want to make sure that the fact that they inject the ton of code to chat chpt goes across as genuine, credible.
And it's not really clear what was the benefit, but they managed to get significant distribution.
Once they are there, they are stealing tokens used for authentication.
So they claim to be something that used to export data or images, providing timestamp displays,
all kinds of very basic functionalities you don't actually need an extension for,
but eventually they do advertise themselves as something that automate them.
And behind the scenes, stealing tokens used for authentication to chatypity.
How did you realize that this wasn't just a single bad extension,
but that this was actually a coordinated campaign?
Actually, that's the easiest part.
The hard part is the catching the first one.
Once you catch the first one,
the next ones to follow are pretty easy.
So we look at a couple of things.
We look at a code behavior and code repeatability.
Think about yourself.
What's the most expensive thing you have in the world is time?
So once you've developed something that works,
you try to replicate that.
You try to automate it.
So basically, they were copying and pasting their own code,
into a bunch of different extensions.
Aside from that, they use the same visuals,
the same FEV icons on the extension,
and even the same domain to register them.
So there were a couple of connections
between all those extensions on the ownership level,
on the visual level, and on the code level,
which is really a smoking gun,
and all of them are attributed to the same attacker.
Well, let's go through this together.
I mean, what actually happens when someone installs
one of these extensions?
What does it do inside the browser?
So an extension has visibility to a lot of things that happen within the context of a web session.
So for anyone that's hearing, once you go into ChachipT, you're already signed in.
How does ChachyPT knows it's you and it's not, let's say, Dave, at the same time?
The ChachyPT app is doing that based on a cookie stored in your browser
or some sort of a token that's been cached in the browser memory space.
All of those items are visible to any extension.
So any extension with visibility to the chat chiptipt domain is able to see those data types.
So the extension is basically copying all the different attributes that are used by chat chip
to recognize the user, the cookie, the tokens used by the browser, the screen resolution,
and even the browser version, everything to create basically a replica and identical twin of that
browser owned by the attacker.
So the attacker can just log in into the app.
Actually, the attacker doesn't have to log in because they are instantly validated by chat
GPT.
They don't even have to log in.
They're just going.
And then they can just steal conversation history and fetch data.
So as far as chat GPT is concerned, it thinks that it is the user of the stolen token.
It just mimics everything of the victim in a way that the attacker owns.
And the attacker can just sign in and have visibility and access.
to everything owned by the user.
Well, help me understand here,
because my understanding is this doesn't exploit
a vulnerability in chat GPT itself.
It's this token vulnerability.
Why does that make this harder to detect?
If you ever seen some sort of a 90s action movie
in which the thieves create some sort of a replica of a house key,
it's pretty much the same thing.
They just create the replica of the key that you use,
they get in, identifying the NCVs,
you and then they can steal any data you uploaded. In reality, it can be done on any site.
What the attacker has to do is really no CHATT and where CHATGPT hides is secrets. That's not really
hard to do. And from that point on, it's becoming a very easy task. Actually, the complex part is
getting the infections. And extension has visibility into everything identity related within the browser.
So my understanding is that right now the download numbers for these are relatively small. Can you
give us a sense of the scale of this problem? Well, that's a good question. The way Larax
works, we don't wait for large distribution to do the takedown. We try to do the takedown as
early as possible. So this campaign was blocked in relatively low numbers, but with high motivation.
I said it historically campaigns of that, so it managed to get to thousands or tens of thousands
of infections per extension. What attackers typically do, do they use a rogue advertising?
to get installations and all kinds of evasion techniques.
So sometimes they will actually add some sort of a legitimate functionality to the extension,
or they will buy an extension on the marketplace that already has infections.
Interestingly, an extension owner has visibility into who owns the browser.
So once I install an extension, let's say I'm using an extension using my work device.
My work device is creating some sort of flag into my browser that says that this browser is managed.
and is attributed to a domain all by my business.
So actually, an extension owner can see who is owning the extension
and actually understand whether this is data that's owned by a consumer,
and then it's really hard to monetize on that,
or whether it's owned by a business,
and then they can actually do some sort of a ransomware or something else.
I'd say that the Holy Grail from an attacker standpoint,
or I'd said the knockout, will be companies that actually have a CHHCPT corporate account.
So they have some sort of an on-prem or internal CHETTPT,
And by getting access to one account, they can actually steal the data of all the organization.
If that makes sense, creating some sort of an intrusion that's, you know, a game changer for the attacker.
We'll be right back.
AI is changing how enterprises operate and how they stay protected.
It's time to eliminate risk and protect innovation.
From March 23rd through the 26th, join Trend AI for actionable AI security insights.
Catch impactful sessions at RSAC, then unwind and grab a bite at their lounge in Trapasueño.
Experience industry-leading AI security in person, engage with the experts, and get your chance to win $500,000.
San Francisco lets AI fearlessly.
Learn more at trendmicro.com slash RSA.
When cyber threats strike, minutes matter.
Booz Allen brings the same battle-tested expertise trusted to protect national security to defend today's leading global organizations.
They safeguard their data, strengthen enterprise resilience, and mobilize in minutes across energy, health care, financial services, and manufacturing.
Their teams don't just respond.
They anticipate, outthink, and stay ahead of evolving threats.
This is powerful protection for commercial leaders, only from Booz Allen.
See how your organization can prepare today at Boozalan.com slash commercial.
What are your recommendations then?
I mean, when we're talking about browser extensions,
how can organizations vet them to make sure that they're not going to have these sorts of problems?
I'll use the cliche and say it starts with visibility.
If you don't know what exists in your environment, which browsers are there,
which extensions they have, you're probably in the bad spot.
It's one of the most effective attack techniques a couple of years ago, according to Manda,
the third reason in terms of scope for account takeovers and intrusions on the identity level.
It's also a very low-hanging foot for an attacker.
So we need to have visibility, but the visibility has to be continuous because attackers are changing the extensions on the flight.
An extension can be born, benign, and become malicious over a while.
So I'll call it a Shoshank Redemption, you know, process.
of taking it's kind of like, you know, digging a tunnel day by day.
The attacker is building an extension and adding a little bit of malicious code daily
until they get to good enough distribution and then they monetize.
So they're really aware of the limitations of a allow list block list approach.
Eventually, you need to know which browsers you have, which extensions are there,
and also to understand which identities are exposed to them.
So not all identities are the same risk.
I said that the low-hanging fruits is understand how users we use browsers in the organization.
Users are able actually to import via agentless sign-in
their personal browser setting into the work device,
including all the extensions they have.
So you can actually import a bunch of malware instantly
into your work device.
I think once you understand that and you have a basic inventory,
you define what's a reasonable use, what's not a reasonable use.
You can get to a pretty sweet balance between risk and productivity.
I think one of the challenges is that historically,
who used browser extensions?
So historically, the browser extensions that were really corporate legit or ed blockers, password managers, grammarly, things of that sort.
But today you have like a million AI extensions out there and every user says they must use them.
And it's really becoming a headache for IT teams to approve or vet extensions over time.
I think visibility context, continuous risk analysis can get you to blocking something that's probably more, more,
common in your environment and actual traditional malware.
Are we looking at behavioral detections here,
of trying to keep an eye on what these extensions are trying to do?
So you can't actually do that without being deployed in the browser,
unfortunately, but to the very, very least, to the very least,
understanding what's there.
So I'll give you a point.
So let's say I'm as a CEO, I have the Salesforce extension on my browser.
Do you know how many extensions on the Chrome Market?
place are Salesforce something. They have Salesforce in their name, hundreds. And chat chitpT extensions,
thousands. So no one really says what's a real one, what's not a real one. You need to actually
check that. Is this a real sales force? Is this a real chat chip with the extension? Those are very,
very basic hygiene things you need to do on your environment. So you need to have visibility
into everything about those extensions and be able to block them based on risk, context,
reason and usage, things of that sort.
Yeah, it seems like an uphill battle here, as you say, the numbers are not in the defender's favor, it seems to me.
Well, unfortunately it is, but it's a brave new world.
Eventually, the traditional operating system is not as interesting as it used to be, even though we're going back to a device-centric world.
But what's really interesting is what's happening on top of the device, AI applications, browsers, IDs, this is where employees spend most of their time.
Historically, I remember myself as a junior security analyst with more hair on my head, and everything was around files.
Is this a good file?
This is a bad file.
It's this data-rich files.
It's, you know, whatever.
And now everything is applicative.
Everything is dynamic.
Basically, extension is agentless.
In order to understand what it is, you need more context, and you need to really change the way you think about security.
That actually agent-less is more powerful and more risky to your organization.
Actually, it's agent-less malware.
So how do you recommend that security professionals strike that balance?
I mean, we can see that some of these extensions have utility,
and they do help people do their jobs better,
and yet we have this risk here.
So assuming that the question is how to do it, you know,
avoiding to buy a tool on the browser level,
the DIY method would be to restrict to which browsers are approved in your organization.
And then you need visibility into the different plugins.
Chrome Edge and soon Firefox.
have enterprise flavors, so they have management capabilities.
Other browsers don't have management capabilities.
You need to build it yourself using MDM or some sort of a security tool that you may have to
buy.
Once you do that, you need routinely at least once a week to audit all the different extensions,
understand what's happening with our permissions, code, sandbox them, and to apply risk-based
classification.
Eventually in real life, the road bump you'll hit will be that's not every extension.
will say, hey, I'm malware.
It will say something like Amazon coupon code.
And then a security architect would not want to get in a face-to-face battle with some
sort of an employee, whether they should or shouldn't have that.
So understanding what's reasonable usage on your environment, on your devices, fleet, that's
key.
Because if you decide that you don't waste time on things that are not work-related,
just avoid having all this, that other stuff, all that crap.
And if your culture says that everything is allowed,
the user is the champion of the organization,
you need to really scan nonstop everything in your environment
to understand what's risky.
Yeah, it really is striking a careful balance.
What you could do, actually, at Larex,
at Lyrics, we have a free extension media.
So about a big chunk of our database is actually exposed to the broad audience.
If you want to invest and scan,
and get for some sort of a rescoring,
you actually do it on the LARX site.
Search for LARX extension PDF.
And that database is a combined database of Google and ourselves.
So it's two startups, one of them is 30 years old
and over a trillion dollars in worth and LARX,
but we have the largest database in the world
for browser extensions with rescoring.
You can do that and then you can understand
what's going on in your environment.
Now hold on a second,
Or are you suggesting that people install at one of your extensions?
I mean, everyone is welcome to be a LRIC customer,
but I think I was on the other side.
I think it's my, I need as an entrepreneur in cybersecurity.
I need to always talk about what's the basics,
because it's a part of the community to be able to share.
And it was important for us to provide the basics of extension security for free for the entire world.
And eventually we built great relationships with customers.
So I'm not shy to say that.
We're happy to give away some for free.
Eventually, we understand that that's our way to prove credibility.
And many of those organizations then are interested to move on with us.
And sometimes it's a good conference and I meet people saying,
you know, they tell me, you know, I built an extension security framework for free using your extension
and then I'll tell them, you know, it's great, how much time do you spend on that?
And apparently they spend a lot of time.
And then eventually, you know, they do try to automate and they do reach out and they do engage with us.
So I feel very comfortable with where we are.
Yeah.
All right.
Well, Or I think I have everything I need for our story here.
Is there anything I missed?
Anything I haven't asked you that you think it's important to share?
I think one thing is the timing, the why now with AI.
Historically, companies were using all kinds of tools.
But, you know, every risk level, you have kind of like a long tail and a big mass.
The big mass is always really managed.
So think about SaaS security or identity security.
It's always said that the big mass is already secure by design, then you have a long tail.
With AI, I think something really, really changes that perspective.
One, it's really web-based.
It's really hard to catch that.
It's really interactive.
But users are very, very not model loyal.
So everyone is aware of what's the hottest new AI tool and everyone is experimenting.
Those tools are not very cheap.
So think about how you gain security.
You gain security by controlling the configurations, the backend controls, you tie them to an identity provider, you put them behind some sort of their reverse proxy.
You have all kinds of tools you can use.
But that's good for traditional SaaS.
Within AI, things change really fast.
And when I think about the cost of those licenses, paying about $400 a month for getting all of them for all your employees, that's a lot of money.
It's really, really a lot of money.
So most organizations actually buy only one or at most two AI platforms.
But the users use everything.
And sometimes they even use their personal webmail to sign into Clod or something of that sort.
And eventually it means that the long tail is actually bigger than the main body of that risk.
So AI just really fuels malicious extensions as a mechanism to create a very, very powerful intrusion by attackers.
That creates urgency.
Our thanks to Or Eshed from Layer X Security for joining us.
The research is titled How We Discovered a Campaign of 16 Malicious Extensions
Built to Steal Chat-GPT accounts.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating in the podcast.
review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
If you only attend one cybersecurity conference this year, make it RASAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's toughest challenges
and shaping what comes next.
Register today at rsaconference.com slash cyberwire 26.
I'll see you in San Francisco.