CyberWire Daily Your AI sidekick might be a spy. [Research Saturday]
15 snips
Mar 14, 2026 Or Eshed, Co-founder and CEO of LayerX Security, a browser security leader who uncovered a campaign of malicious ChatGPT-themed extensions. He discusses how extensions posed as productivity tools, intercepted ChatGPT tokens, and formed a coordinated cluster of 16 malicious add-ons. The conversation covers distribution tactics, enterprise risk, and defensive controls in brief, punchy segments.
AI Snips
Chapters
Transcript
Episode notes
Extensions Evade Detection By Mimicking Legit AI Tools
- Malicious extensions can evade marketplace sandboxing by injecting large amounts of code and posing as AI productivity tools.
- LayerX found a coordinated campaign of 16 extensions copying code, visuals, and domains to steal ChatGPT tokens early in marketplace life.
Threat Hunt Caught Extensions At Marketplace Entry
- LayerX leveraged its sandbox partnership with Google and a large extension database to threat-hunt early in extension lifecycles.
- They caught extensions as they entered the marketplace, enabling takedowns before wide infection.
Code And Visual Reuse Revealed A Coordinated Campaign
- Reused code, identical icons, and shared domains were smoking-gun indicators tying multiple extensions to a single attacker.
- Attackers copy working code to scale by creating many similar extensions quickly.