Malicious ChatGPT Browser Extensions Are Stealing Session Tokens — What Enterprises Must Do Now

Threat actors are publishing “ChatGPT enhancer” browser extensions that quietly steal authenticated session tokens from users, enabling account hijacking without exploiting a vulnerability in ChatGPT itself. Once tokens are stolen, attackers can impersonate the user, access chat history, and potentially pivot into connected apps and data sources.

This is not a novelty risk. It’s a predictable outcome of three trends colliding: (1) rapid GenAI adoption, (2) over-privileged extensions, and (3) weak enterprise governance over browser add-ons.

What happened: “ChatGPT productivity” extensions used for account hijacking

Researchers reported a coordinated campaign of at least 16 browser extensions marketed as ChatGPT enhancement/productivity tools. The intent is credential/session theft: the extensions extract authorization details and session token data and transmit them to attacker-controlled servers.

Key points defenders should internalize:

The campaign included 15 Chrome Web Store listings and 1 Microsoft Edge Add-ons listing, with roughly ~900 total installs reported at the time of analysis.

The extensions don’t “hack ChatGPT.” They abuse the web session by stealing tokens during normal authenticated use.

Some variants presented signals of legitimacy (including a “featured” badge in at least one case), reinforcing that “it was in the official store” is not a security control.

How the attack works: token theft via injected scripts on chatgpt.com

The core technique is straightforward and effective:

A content script is injected into chatgpt.com and executed in the page’s MAIN JavaScript world.

The script hooks the browser’s window.fetch (or monitors outbound requests) to observe requests initiated by the ChatGPT web app.

When an authorization header/session token is detected, it’s extracted.

A second script exfiltrates the token to a remote server.

Why MAIN-world execution matters

Running in the MAIN world allows direct interaction with the application’s native runtime rather than a more isolated extension execution context. Practically, that means the extension can observe sensitive runtime artifacts (like auth headers/tokens) before they ever become “interesting” to many traditional endpoint/network controls.

The real blast radius: connectors + long-lived identification

With a valid session token, the attacker can authenticate as the victim and access chat history and connectors that bridge ChatGPT into other systems (examples cited include Slack, GitHub, Google Drive).

LayerX also reported that, beyond the ChatGPT token, the extensions exfiltrated extension metadata, usage telemetry, and backend-issued access tokens used by the extension service—supporting persistent identification and behavioral profiling.

Why this is an enterprise security problem (not a “consumer hygiene” issue)

Enterprises are treating GenAI like a web app procurement problem. This incident shows it’s also a browser supply-chain and identity problem.

1) The browser is now a privileged execution environment

Attackers have long abused extensions for persistence and access. MITRE explicitly tracks Browser Extensions abuse as a technique because extensions can provide durable, high-trust footholds in user workflows.

2) Session token theft bypasses “password thinking”

If the attacker has a live token, they often don’t need to steal a password in the classic way. Your “strong password” story collapses into a “how fast can we detect/revoke sessions” story.

3) GenAI increases the sensitivity of what users paste into the browser

Chat transcripts routinely contain proprietary code, customer data, internal URLs, incident details, and credentials-like artifacts. Token theft turns “one risky extension install” into “enterprise data spill + account takeover.”

Indicators: known malicious “ChatGPT Mods” extensions (names + IDs)

These are the extensions Malwarebytes listed as malicious and recommended removing (Name — Publisher — Extension ID).

ChatGPT bulk delete, Chat manager — ChatGPT Mods — gbcgjnbccjojicobfimcnfjddhpphaod

ChatGPT export, Markdown, JSON, images — ChatGPT Mods — hljdedgemmmkdalbnmnpoimdedckdkhm

ChatGPT folder, voice download, prompt manager, free tools — ChatGPT Mods — lmiigijnefpkjcenfbinhdpafehaddag

ChatGPT message navigator, history scroller — ChatGPT Mods — ifjimhnbnbniiiaihphlclkpfikcdkab

ChatGPT Mods — Folder Voice Download & More Free Tools — ChatGPT Mods — jhohjhmbiakpgedidneeloaoloadlbdj

ChatGPT pin chat, bookmark — ChatGPT Mods — kefnabicobeigajdngijnnjmljehknjl

ChatGPT Prompt Manager, Folder, Library, Auto Send — ChatGPT Mods — ioaeacncbhpmlkediaagefiegegknglc

ChatGPT prompt optimization — ChatGPT Mods — mmjmcfaejolfbenlplfoihnobnggljij

ChatGPT search history, locate specific messages — ChatGPT Mods — ipjgfhcjeckaibnohigmbcaonfcjepmb

ChatGPT Timestamp Display — ChatGPT Mods — afjenpabhpfodjpncbiiahbknnghabdc

ChatGPT Token counter — ChatGPT Mods — hfdpdgblphooommgcjdnnmhpglleaafj

ChatGPT model switch, save advanced model uses — ChatGPT Mods — pfgbcfaiglkcoclichlojeaklcfboieh

ChatGPT voice download, TTS download — ChatGPT Mods — odobjankihdfckkbfnoglefmdgmblcld (reported with a character-variant rendering in some listings)

Collapsed message — ChatGPT Mods — lechagcebaneoafonkbfkljmbmaaoaec

Multi-Profile Management & Switching — ChatGPT Mods — nhnfaiiobkpbenbbiblmgncgokeknnno

Search with ChatGPT — ChatGPT Mods — hpcejjllhbalkcmdikecfngkepppoknd

LayerX also published campaign IOCs including domains such as chatgptmods.com and imagents.top.

Source

Immediate containment actions

Execute these actions as an incident response playbook whenever an AI/LLM-related extension is suspected:

Remove the extension(s) from affected browsers and endpoints; assume “installed = active until removed.”

Revoke sessions / force re-authentication for affected GenAI accounts; stolen tokens are the attacker’s access path.

Review and disable connectors (Slack/GitHub/Drive and similar) tied to the compromised identity; treat connectors as downstream breach paths.

Rotate credentials and strengthen MFA for the impacted identity and any accounts accessed through the same browser session.

Hunt for outbound calls to reported campaign infrastructure (including domains published as IOCs) and anomalous token use patterns.

Sustainable controls: what “good” looks like for GenAI extension governance

This is the enterprise fix. Not awareness posters.

1) Treat AI-integrated extensions as privileged applications

Extensions that integrate with authenticated AI platforms should be classified as high-risk software because they can access runtime authentication artifacts and sensitive content flows.

2) Enforce extension allowlisting and permission hygiene

Allowlist approved extensions only (per browser + per role).

Block sideloading and “unknown publisher” installs.

Review permissions as part of change control, not after an incident.

3) Instrument the browser as a security boundary

Traditional endpoint telemetry often under-sees what happens inside the browser. Behavior-based monitoring that detects suspicious extension network activity and runtime manipulation closes the gap LayerX highlighted.

4) Quantify and reduce exposure windows

InfoSight’s framing applies here: stop running this as qualitative risk. Track it like attack surface:

% of users with non-approved extensions

Time-to-remove (extension) after detection

Token/session revocation time after suspected compromise

Connector inventory and least-privilege coverage

The InfoSight perspective: GenAI risk is identity + browser attack surface

These incidents are a clean example of why “we’ll just train users not to paste sensitive data into ChatGPT” fails. The failure mode is upstream: unmanaged browser execution and session-based identity theft.

InfoSight approaches this as measurable exposure reduction:

Identity-first hardening: tighten access, MFA, conditional access, and session controls around GenAI accounts and connected SaaS. (Token theft turns identity into the real control plane.)

Attack-surface reduction: remove unapproved extensions, reduce privileges, and shorten the time an attacker can live off the browser.

Continuous verification: detect anomalous behavior and respond fast enough that stolen tokens don’t translate into persistent access.

The core warning is the one enterprises should adopt as policy: AI extensions requiring deep authenticated integration materially expand the browser attack surface.