AI Productivity Facade: 18 Malicious Extensions Discovered with RAT and MitM Capabilities

In a technical report released on April 30, 2026, Palo Alto Networks’ Unit 42 exposed a cluster of 18 high-risk AI browser extensions. These tools, active through late April 2026, leverage the lure of generative AI productivity features to attract targets. The technical impact is significant: the 18 variants span six distinct malware categories capable of exfiltrating sensitive data in real-time during active browsing sessions.

Behind a facade of utility, these extensions hide highly dangerous malicious capabilities. Researchers found that these tools establish persistent command-and-control (C2) channels and monitor private communications. The threat includes the ability to siphon sensitive data directly from the browser's Document Object Model (DOM), specifically targeting user emails as they are being composed.

The analyzed campaign exploits the growing trust in artificial intelligence tools. However, the immediate risk is confined to these 18 variants, which require excessive permissions to act as client-side attack vectors. These extensions effectively bypass network controls by operating directly where data is decrypted for user viewing, rendering standard perimeter defenses ineffective.

Deceptive Marketing and Permission Abuse

The identified extensions were distributed via the official Chrome Web Store using descriptions designed to reassure users. One emblematic example cited in the report claimed: "100% local processing - your data never leaves your browser." Technical analysis by Unit 42 categorically debunked these claims, revealing constant exfiltration to attacker-controlled remote servers.

To deliver on their fraudulent promises, these tools requested extreme system privileges. These included access to all data on visited websites (<all_urls>), activation of the Chrome debugger, and the ability to execute arbitrary scripting. Such permissions grant the extension near-unlimited power over the user's browsing session, allowing for real-time manipulation of web pages.

When left unmonitored, the permission system allows these 18 malicious variants to operate undisturbed behind a professional veneer. By granting these authorizations, users inadvertently allow malware to read already-decrypted HTTPS responses. This dynamic transforms a productivity tool into a privileged observation post for identity theft and the harvesting of banking credentials.

"We found 18 AI browser extensions marketed as productivity tools that are not as they seem." — Palo Alto Networks Unit 42 (April 2026 Report)

Technical Analysis: Chrome MCP Server and C2 Infrastructure

The extension identified by ID fpeabamapgecnidibdmjoepaiehokgda, named "Chrome MCP Server - AI Browser Control," represents one of the most critical cases. Its source code includes a hardcoded WebSocket connection to wss://mcp-browser.qubecare.ai/chrome. This connection features automatic reconnection mechanisms, ensuring persistence that survives browser restarts or session timeouts.

Through this WebSocket channel, the C2 server can issue over 30 different operational commands. Among the most dangerous is handleExecuteScript. This function receives JavaScript code strings from the remote server and executes them via the new Function() pattern within the context of the active tab, where the user is already authenticated.

This specific technique allows for arbitrary code execution while the user interacts with critical services such as banking or webmail. The attacker can interact with accounts using valid cookies and session tokens without needing to steal initial passwords. By operating inside the browser, the malicious activity appears as legitimate traffic, making it difficult to distinguish user activity from malware actions.

Furthermore, the extension can hook into the Chrome Debugger Protocol. This functionality is abused to inspect network traffic and read sensitive data exchanged via HTTPS before it is rendered. This method effectively bypasses Transport Layer Security (TLS) encryption, as data is captured at the point where the browser has already decrypted it for the user.

Supersonic AI and Passive DOM Surveillance

A different approach is utilized by the "Supersonic AI" extension (ID: eebihieclccoidddmjcencomodomdoei). Rather than acting as an aggressive RAT, this software functions as an Adversary in the Browser (AitB) focused on silent exfiltration. Unit 42 describes its behavior as a form of passive surveillance targeting user-generated content.

As officially reported, one of the 18 threats is capable of "surveilling your emails as you compose them." This is achieved by observing the Document Object Model (DOM), the structure of the rendered web page. By reading input fields directly in the DOM, the extension captures text, recipients, and attachments in real-time, before the email is actually sent to the legitimate server.

The theft of prompts sent to other AI platforms is another documented objective. Because many users enter confidential corporate data into AI chatbots, these extensions intercept that information at the source. The data is exfiltrated before it ever reaches the intended AI platform's servers, exposing trade secrets and sensitive personal data temporarily stored in the browser.

Threat Actors Leverage AI to Accelerate Malware Development

Unit 42’s analysis revealed that many of the 18 samples contained code clearly generated by LLMs. Threat actors are utilizing the same AI tools they mimic to accelerate malware development. This allows for the rapid production of malicious variants compared to traditional manual development methods.

While the responsibility for the attacks remains human, the use of AI acts as a productivity multiplier for cybercriminals. This enables them to populate official stores with tools that perfectly mimic legitimate extensions. Unit 42 promptly reported all 18 extensions to Google, which responded by removing some samples or issuing warnings for security policy violations.

Mitigation and Security Recommendations

To mitigate the risk posed by these 18 extensions and similar future threats, granular security measures focusing on local browser control are necessary.

• Immediate Extension Audit: Verify the presence of the IDs flagged in the report, such as fpeabamapgecnidibdmjoepaiehokgda and eebihieclccoidddmjcencomodomdoei, and remove them immediately if found.
• Strict Permission Enforcement: Configure extension access to "on specific sites" rather than "on all sites." This technically prevents a tool from reading data on sensitive tabs like banking or corporate email unless explicitly authorized.
• Enterprise Allow-listing Policies: Organizations should implement group policies to block the installation of any extension not pre-approved. Every AI tool must pass an internal security review before deployment.
• Monitor Debugger Protocol Usage: Check if installed extensions require debugging permissions. This privilege is a critical red flag and should only be granted in isolated development environments.

Context and Industry Impact

The identification of these 18 extensions highlights a structural vulnerability in the browser ecosystem. While Google intervenes to remove samples after reporting, the latency between publication and identification creates a critical exposure window. Because these tools operate after TLS termination, data remains vulnerable regardless of network connection security.

For enterprises, the primary risk is the leak of unstructured data, such as emails and AI prompts, which are stolen entirely within the browser. Digital perimeter protection must therefore evolve toward the local inspection of extensions. Adhering to the principle of least privilege remains the most effective defense against actors who automate malware creation via artificial intelligence.

Information has been verified against cited sources and is current as of the date of publication.

Sources

• https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/