Browser extensions are powerful tools that can improve productivity, add new features, and customize how you use the internet. Many people install extensions for tasks such as translation, email writing assistance, password management, or AI-powered tools. However, the same features that make extensions useful can also make them dangerous if they fall into the wrong hands.
Security researchers recently discovered a large group of malicious Chrome extensions designed to steal login credentials. These extensions were installed by more than 260,000 users before being identified as harmful. The incident highlights a growing cybersecurity threat within browser extension marketplaces, including the Chrome Web Store.
The following guide explains how these malicious extensions work, how attackers spread them, and how you can find and remove suspicious extensions from your Chrome browser.
The Growing Threat of Malicious Chrome Extensions
Browser extensions operate with deep access to webpages and browser data. When installed, they often request permissions that allow them to read website content, modify pages, or monitor browsing behavior.
Because of these permissions, a malicious extension can potentially capture:
- Login usernames and passwords
- Email content
- Personal data entered into forms
- Website activity and browsing habits
Cybercriminals increasingly exploit this access by disguising harmful extensions as legitimate tools. Many malicious plugins pretend to offer useful features such as AI assistants, translators, or productivity helpers.
Users often install these tools without realizing they are giving attackers access to sensitive information.
How the Credential-Stealing Extensions Worked
The newly discovered extensions used a clever technique to steal user credentials. Instead of performing malicious actions directly inside the extension code, they loaded a remote interface using a full-screen iframe.
An iframe is essentially a webpage embedded inside another webpage. In this case, the iframe displayed an interface that appeared to belong to the extension itself.
This interface covered the entire screen and looked like a normal extension feature panel. However, the content actually came from an external server controlled by the attackers.
Because the malicious functionality was hosted remotely rather than inside the extension files, it avoided detection during the Chrome Web Store review process. When Google reviewed the extension submission, the harmful code was not present in the package being analyzed.
Once users installed the extension, the iframe loaded the attacker’s content and began collecting credentials entered into websites.
Attackers Used “Extension Spraying” to Avoid Detection
To maximize their reach and avoid being quickly removed, attackers used a distribution tactic called extension spraying.
This technique involves releasing many versions of essentially the same malicious extension. Each version uses a different name and a different extension identifier.
Instead of relying on one extension that might quickly be flagged and removed, attackers create dozens of similar versions. If one is taken down, others remain active and continue infecting users.
This strategy also makes it harder for users to identify whether they installed the harmful extension because different names may appear legitimate.
Why Extension Names Alone Are Not Reliable
When researchers publish lists of dangerous extensions, they often include the extension names and identifiers. However, relying on the extension name alone can be misleading.
Names in the Chrome Web Store are not unique. This means two extensions can share identical names while being completely unrelated.
For example, a malicious extension might copy the name of a legitimate AI assistant or translator. If you search your installed extensions by name only, you may mistakenly think you have the malicious version even if you installed the real one.
For this reason, cybersecurity experts recommend checking the extension ID instead.
What Is a Chrome Extension ID
Every Chrome extension has a unique identifier known as an extension ID. This identifier is a 32-character string composed of lowercase letters.
Unlike extension names, this ID never changes. Even if the extension is renamed or republished in the Chrome Web Store, the identifier remains the same.
Because of this, the extension ID is the most reliable way to determine whether a specific extension is installed on your browser.
Checking Installed Chrome Extensions
If you want to see which extensions are currently installed in Chrome, you can easily open the extensions management page.
Follow these steps to access the extensions list.
- Open Google Chrome.
- Click inside the address bar.
- Type the following address:
chrome://extensions/
- Press Enter.
The Extensions page will appear and display every extension installed in your browser.
Each entry includes the extension name, icon, description, and available controls such as enable, disable, or remove.
Revealing Extension IDs Using Developer Mode
By default, Chrome only displays extension names. To see the unique identifier for each extension, you need to enable Developer mode.
Here is how to do it.
- Open the Extensions page.
- Look for the Developer mode toggle in the upper-right corner.
- Turn the toggle on.
Once Developer mode is enabled, additional information becomes visible for each extension. This includes the extension ID.
You can now compare the IDs shown in your browser with lists of known malicious extensions reported by researchers.
This method allows you to accurately identify whether a dangerous extension is present in your system.
Removing Suspicious Extensions from Chrome
If you find an extension that you do not recognize or that appears on a malicious extension list, you should remove it immediately.
To remove an extension:
- Open the Extensions page.
- Locate the suspicious extension.
- Click the Remove button.
- Confirm the removal.
Once removed, restart Chrome to ensure the extension does not reappear.
If the extension disappears and stays removed after the restart, it has been successfully deleted.
When Chrome Says an Extension Is “Installed by Administrator”
Sometimes you may encounter a situation where the Remove button is missing. Instead, Chrome may display a message stating that the extension is Installed by your administrator.
This typically means the extension was forced into the browser through another mechanism, such as:
- Group Policy settings
- Malware infection
- Corporate network policies
- System registry modifications
In these cases, simply removing the extension through Chrome may not work because the system configuration reinstalls it automatically.
Investigating these cases may require removing malicious policies or scanning the computer for malware.
Finding Extensions in the Chrome File Directory
Another method of locating extensions is to inspect the Chrome extensions folder directly on your computer.
On Windows systems, Chrome stores extension files in the following directory:
C:\Users\<your-username>\AppData\Local\Google\Chrome\User Data\Default\Extensions
The AppData folder is hidden by default, so you may need to enable hidden file viewing in Windows Explorer.
To reveal hidden files:
- Open File Explorer.
- Click the View tab.
- Check the box labeled Hidden items.
Once visible, navigate to the Extensions folder.
Inside this directory, each extension is stored within a folder named after its unique extension ID. These folder names correspond directly to the identifiers displayed in the Chrome Extensions page.
Sorting the list alphabetically can make it easier to locate specific extension IDs.
The Problem with Deleting Extension Folders Manually
Although it is technically possible to remove extensions by deleting their folders from this directory, doing so may cause unexpected results.
When you delete the folder manually, Chrome loses access to the extension’s files. As a result, the extension will stop functioning.
However, Chrome may still display the extension entry inside the Extensions page even though its files are missing. This creates what is known as an orphaned extension entry.
The extension icon will disappear and the extension will no longer run, but its listing may remain visible in the browser.
Because of this issue, removing extensions through Chrome’s built-in interface is generally the safer and cleaner option.
Known Credential-Stealing Extensions Identified by Researchers
Researchers identified multiple extensions that used the i frame credential-stealing method. These extensions often posed as AI assistants, translation tools, or chatbot integrations.
The following table shows the known extension identifiers and their names.
Known Credential-Stealing Chrome Extensions
| No. | Extension Name | Extension ID |
|---|---|---|
| 1 | ChatGPT Translate | acaeafediijmccnjlokgcdiojiljfpbe |
| 2 | XAI | baonbjckakcpgliaafcodddkoednpjgf |
| 3 | AI For Translation | bilfflcophfehljhpnklmcelkoiffapb |
| 4 | AI Cover Letter Generator | cicjlpmjmimeoempffghfglndokjihhn |
| 5 | AI Email Writer | ckicoadchmmndbakbokhapncehanaeni |
| 6 | AI Image Generator Chat GPT | ckneindgfbjnbbiggcmnjeofelhflhaj |
| 7 | AI Translator | cmpmhhjahlioglkleiofbjodhhiejhei |
| 8 | AI Wallpaper Generator | dbclhjpifdfkofnmjfpheiondafpkoed |
| 9 | AI Sidebar | djhjckkfgancelbmgcamjimgphaphjdl |
| 10 | Chat With Gemini | ebmmjmakencgmgoijdfnbailknaaiffh |
| 11 | AI Picture Generator | ecikmpoikkcelnakpgaeplcjoickgacj |
| 12 | Google Gemini | fdlagfnfaheppaigholhoojabfaapnhb |
| 13 | ChatGPT Picture Generator | flnecpdpbhdblkpnegekobahlijbmfok |
| 14 | Email Generator AI | fnjinbdmidgjkpmlihcginjipjaoapol |
| 15 | Chat GPT for Gmail | fpmkabpaklbhbhegegapfkenkmpipick |
| 16 | Gemini AI Sidebar | fppbiomdkfbhgjjdmojlogeceejinadg |
| 17 | Llama | gcfianbpjcfkafpiadmheejkokcmdkjl |
| 18 | Grok Chatbot | gcdfailafdfjbailcdcbjmeginhncjkb |
| 19 | AI Sidebar | gghdfkafnhfpaooiolhncejnlgglhkhe |
| 20 | Ask Gemini | gnaekhndaddbimfllbgmecjijbbfpabc |
| 21 | DeepSeek Chat | gohgeedemmaohocbaccllpkabadoogpl |
| 22 | AI Letter Generator | hgnjolbjpjmhepcbjgeeallnamkjnfgi |
| 23 | ChatGPT Translation | idhknpoceajhnjokpnbicildeoligdgh |
| 24 | AI GPT | kblengdlefjpjkekanpoidgoghdngdgl |
| 25 | DeepSeek Download | kepibgehhljlecgaeihhnmibnmikbnga |
| 26 | AI Message Generator | lodlcpnbppgipaimgbjgniokjcnpiiad |
| 27 | ChatGPT Sidebar | llojfncgbabajmdglnkbhmiebiinohek |
| 28 | Chat Bot GPT | nkgbfengofophpmonladgaldioelckbe |
| 29 | AI Assistant | nlhpidbjmmffhoogcennoiopekbiglbp |
| 30 | Asking Chat Gpt | phiphcloddhmndjbdedgfbglhpkjcffh |
| 31 | ChatGBT | pgfibniplgcnccdnkhblpmmlfodijppg |
| 32 | Grok | cgmmcoandmabammnhfnjcakdeejbfimn |
These examples demonstrate how attackers frequently exploit the popularity of artificial intelligence tools to trick users into installing malicious extensions. Many of the extension names imitate well-known AI services such as ChatGPT, Gemini, Grok, and DeepSeek.
Users should always verify extension developers and check permissions before installing browser add-ons.
