Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: chrome-extension (2 articles)Clear

Malicious Perplexity look-alike extension logged every search and keystroke typed

Microsoft found a malicious Chrome extension impersonating the AI search engine Perplexity that quietly logged users' searches and address-bar input. Calling itself "Search for perplexity ai" and using a look-alike domain, it set itself as the default search engine and routed every query through an attacker server, which logged it with the user's IP and browser details before redirecting to a real engine so results looked normal. Worse, it also pointed the browser's live search suggestions at the attacker, so each character typed in the address bar was sent before the user even pressed Enter. Microsoft found no password theft, but far more access than a search tool needs. Google removed it.

Check
Check whether anyone installed the 'Search for perplexity ai' extension, confirm the default search engine has not been changed, and watch for browser traffic to unfamiliar look-alike domains imitating AI services.
Affected
Users who installed the fake Perplexity extension; their searches and every character typed into the address bar were sent to an attacker-controlled server, exposing potentially sensitive queries and browsing intent.
Fix
Remove the extension, reset the default search engine, and allow only approved extensions through browser policy. Treat AI-branded tools with extra suspicion and verify the publisher and domain before installing anything.

Chrome ad blocker with 10 million installs hides dormant code-injection capability

Researchers at Island found that a popular Chrome extension, "Adblock for YouTube," with more than 10 million installs and a Featured badge, contains the machinery to run arbitrary JavaScript on any website the user visits. The extension works as advertised, but it can fetch a rule from its server that creates script elements with attacker-supplied content, giving access to page data, sessions, and forms. The capability is dormant, not absent: switching it on takes a single server-side change, with no extension update and no store review. The add-on changed ownership years ago, requests access to all sites, and is linked to other extensions previously pulled for malware.

Check
Inventory browser extensions across the organization, flag high-permission ones like ad blockers that request access to all sites, and identify extensions that fetch configuration or rules from external servers.
Affected
Anyone using the 'Adblock for YouTube' Chrome extension or similar high-install add-ons with all-site access and server-controlled logic; a single server change could turn them into code-injection tools.
Fix
Remove or restrict extensions whose permissions exceed their purpose, prefer those with self-contained rules over server-controlled ones, enforce an extension allowlist, and monitor for ownership and permission changes.