world politics tech business tabloid sports science health entertainment lifestyle food travel gaming

How are Chrome extensions stealing API keys?

What researchers found and why it matters

Security investigators uncovered a wave of malicious Chrome extensions that masquerade as helpful AI assistants but harvest sensitive data from users. More than 30 extensions were identified that appear to have been installed by at least 260,000 users; those add‑ons collect material such as API keys, email addresses, and other private information. Other research complements this finding, reporting hundreds of sketchy extensions that exfiltrate browsing histories and telemetry to dozens of external recipients.

This is important because developers and end users increasingly paste API keys, tokens, or credentials into web-based tools and editor plugins. A malicious extension with broad permissions can read page content, intercept typed input, or inject scripts that scrape and upload secrets—effectively turning a browser extension into a silent bridge to attackers.

Common attack patterns observed

  • Extensions present themselves as AI chatbots or developer helpers to win trust.
  • Once granted permissions, they read page content and form fields that can contain API keys, session tokens, or email addresses.
  • Harvested data is aggregated and forwarded to remote servers controlled by the extension author or third parties.

How users and teams should respond

  • Audit installed extensions and remove anything you don’t recognize.
  • Rotate exposed API keys and credentials immediately if you suspect compromise.
  • Limit extension permissions: only grant access to sites that require it.
  • Install extensions from trusted vendors and check reviews and source code where available.
  • For organizations, enforce extension whitelists and use enterprise browser policies to block unknown add‑ons.

Researchers have documented scale and techniques, but the full list of affected extensions and long‑term impact on stolen assets remains incomplete. Users who rely on web IDEs, cloud consoles, or paste credentials into browser pages should assume elevated risk and take the precautionary steps above.


Curated by Humans | Summarized by Machines