18 Malicious AI Extensions Exposed: Unit 42 Details Email Spying and RAT Risks

Security researchers at Palo Alto Networks Unit 42 have identified 18 AI-powered browser extensions that, while marketed as productivity enhancers, actually serve as delivery mechanisms for Remote Access Trojans (RATs), Man-in-the-Middle (MitM) attacks, and infostealers. The investigation reveals that at least one of these extensions is capable of monitoring emails as they are being composed through passive observation of the Document Object Model (DOM). This discovery highlights a significant shift in the browser security perimeter, where users are granting high-level permissions to seemingly benign code.

Chrome MCP Server: The '100% Local' Deception

Among the 18 extensions analyzed by Unit 42, "Chrome MCP Server" serves as a prime example of technical deception. Its official Chrome Web Store listing explicitly promised: "100% local processing - your data never leaves your browser." Despite this privacy pledge, technical analysis discovered a hardcoded WebSocket connection to wss://mcp-browser.qubecare.ai/chrome. This C2 channel effectively transformed the productivity tool into an unauthorized remote access terminal.

Further investigation revealed that Chrome MCP Server could execute more than 30 remote commands received from the attackers' server. One of its most dangerous features was the ability to execute arbitrary JavaScript using the new Function() constructor. This technique allows for the injection and execution of dynamic scripts within the user's browser context, bypassing many static security restrictions and allowing remote operators to manipulate active browsing sessions without leaving obvious traces.

The WebSocket-based architecture is particularly stealthy because it operates over the TLS protocol, making malicious C2 traffic nearly indistinguishable from legitimate encrypted web communications. Since the extension is already authorized within the browser process, its outbound connections rarely trigger perimeter firewall alerts. This allowed these 18 extensions to maintain persistent connections to their home servers without alerting corporate or domestic network monitoring systems.

Passive DOM Surveillance and AitB Attacks

A critical finding regarding these AI extensions is their ability to monitor emails during the drafting phase. This surveillance is achieved through passive observation of the Document Object Model (DOM)—the hierarchical structure representing a webpage's content. As a user types, the extension's content script reads the text from the editor in real-time. This technique enables the capture of sensitive information before it is sent or protected by end-to-end encryption.

The "Supersonic AI" extension took this approach further by implementing an Adversary-in-the-Browser (AitB) technique. Rather than intercepting network traffic where data might be encrypted, Supersonic AI scraped sensitive data directly from the rendered DOM in the browser window. Because the malware operates "behind" the encryption layer, it sees the content exactly as it appears to the user, making TLS protections irrelevant and rendering exfiltration both effective and difficult to detect.

The DOM access granted to these AI extensions allows for the interception of more than just text; it can capture trade secrets, proprietary code, or credentials shared with legitimate AI services. Because many of these 18 extensions are marketed as writing or productivity assistants, users are often inclined to grant the "Read and change all your data on the websites you visit" permission—a technical necessity for AI functionality that inadvertently opens the door to total surveillance.

The LLM Paradox: AI Powering Malware Development

The Unit 42 report highlights a concerning structural trend: the use of artificial intelligence not just as a lure, but as a development tool. In multiple samples across the 18 extensions, researchers identified code generated by Large Language Models (LLMs). This indicates that threat actors are actively employing AI to accelerate the production and diversification of malware, drastically shortening the time between a threat's conception and its deployment.

The integration of LLM-generated code poses significant challenges for signature-based detection. Language models can produce variants of the same malicious script that are functionally identical but morphologically different, reducing the effectiveness of traditional hash databases. While Unit 42 has not attributed these 18 extensions to a specific threat group, the systematic adoption of AI tools to build RATs and infostealers suggests an increasing professionalization of malicious campaigns within the browser extension ecosystem.

The distribution of these threats through official channels raises questions about the efficacy of automated review processes. Unit 42 confirmed it reported the 18 identified extensions to Google, which responded by removing several or issuing formal policy violation notices to the owners. However, the ability of attackers to mask malicious code behind attractive AI interfaces continues to be a primary risk for users looking to integrate new productivity tools into their workflows.

"That AI Extension Helping You Write Emails? It's Reading Them First" — Palo Alto Networks Unit 42

Security Recommendations

Given the nature of the threats identified by Unit 42, it is essential to move beyond traditional antivirus scanning and focus on granular permission management within the browser.

1. Rigorous Extension Audits: Immediately review all installed browser extensions and remove any that demand full data access without a proven business necessity. Exercise extreme caution with AI tools from unknown publishers or those with limited reviews.
2. Privilege Limitation: Use Group Policy Objects (GPO) or enterprise management configurations to restrict the installation of unapproved extensions. Implement blocklists, such as those provided by Google Chrome for Business, to prevent unverified scripts from running.
3. DOM Integrity Monitoring: Evaluate endpoint security solutions (EDR/XDR) capable of detecting anomalous access to the DOM structure of sensitive webpages, which can signal AitB exfiltration attempts.
4. Session Isolation: Use separate browser profiles or isolated containers for accessing corporate email and development platforms, ensuring no third-party extensions are active in these sensitive environments.

Strategic Implications

The case of the 18 AI extensions flagged by Unit 42 marks a critical transition in cybersecurity: the browser is no longer just a gateway to the web, but the final target where data is processed in the clear. Passive DOM surveillance demonstrates that attackers have learned to bypass network defenses by focusing on the "last mile"—the user interface. Here, protection relies not on protocol encryption, but on the trust placed in the scripts operating within the page.

The inclusion of RATs and WebSocket-based remote commands suggests these threats aim for more than one-time data theft; they seek to establish persistence within corporate networks via the user's device. The ability of the Chrome MCP Server to execute over 30 remote commands provides attackers with unprecedented operational flexibility, allowing them to adapt their attacks in real-time based on the information gathered during passive observation.

Finally, the use of AI-generated code to build these threats highlights a paradox: the same technology promised to boost productivity is being used to weaponize malware. The speed of production enabled by LLMs forces defenders to adopt equally rapid, automated responses. Without recalibrating the trust model for browser extensions, the risk of sensitive data exfiltration during the simple act of typing an email remains a structural vulnerability.

The information in this article is based on the original research report by Palo Alto Networks Unit 42 regarding threats in AI browser extensions.

Facts have been verified against cited sources and were accurate at the time of publication.

Sources

• https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/
• https://www.helpnetsecurity.com/2026/05/21/github-grafana-breach-root-cause-nx-console/