Malicious Chrome extensions steal ChatGPT tokens

Malicious Chrome extensions steal data and ChatGPT tokens

Researchers uncovered malicious Google Chrome extensions that hijack affiliate traffic, harvest data and even steal OpenAI ChatGPT tokens. Some impersonate HR/ERP tools (e.g., Workday/NetSuite) to increase trust, then exfiltrate cookies and credentials. Recommended actions include allowlisting, permission reviews, removing untrusted add-ons, and monitoring for suspicious extension activity across fleets. Enterprises should use Chrome Enterprise/Edge management to block risky extensions and enforce policies.

When a “helpful” extension helps itself to your data

Security researchers found several malicious Chrome extensions that do more than tidy tabs. According to THN, these add-ons hijack affiliate links, exfiltrate data and can steal OpenAI ChatGPT tokens—handy if you fancy reading someone else’s chats. Some dress up as legit HR/ERP tools (think Workday/NetSuite), then quietly siphon cookies and credentials.
Why this stings: browser extensions sit inside your daily workflow, with permissions to read pages and sessions. If they go rogue, your browser becomes the breach.

What to do in organisations:
• Allowlist extensions via Chrome Enterprise/Edge for Business; block everything else.
• Review permissions—extensions asking for “read and change data on all sites” should raise eyebrows.
• Hunt for indicators: new, rarely used extensions with broad permissions; sudden traffic to unfamiliar domains.
• User coaching: short guidance beats long policy—install fewer, review often.

At home: remove what you don’t need, check publisher reputation, and never grant blanket access without a good reason. The extension you installed to find the best pizza discount shouldn’t also know your payroll login.