Overview
- LayerX traced a coordinated AiFrame campaign using 30‑plus AI‑branded Chrome add‑ons with roughly 260,000 installs that embed server‑hosted iframes to exfiltrate page content and even voice transcripts.
- Researchers reported a shared backend and command infrastructure for AiFrame, including subdomains under tapnetic.pro, as well as re‑uploads under new IDs to survive takedowns.
- Separately, the Q Continuum team analyzed about 32,000 popular extensions and identified 287 that transmit browsing data to external servers, potentially affecting around 37.4 million users.
- The audit used a controlled Chrome setup with a man‑in‑the‑middle proxy and flagged extensions whose outbound traffic rose in step with URL length, with a detailed 260‑page report and GitHub lists published.
- Named examples in the data‑sending set include Avast Online Security & Privacy, Stands AdBlocker, and Monica: ChatGPT AI Assistant, though inclusion does not by itself prove malicious intent.