Fake Perplexity Chrome Extension Sent Every Address Bar Keystroke to an Attacker Server
Microsoft's threat research team caught a malicious Chrome extension impersonating Perplexity AI — one that silently intercepted omnibox input, character by character, before users ever saw a search result.

A counterfeit Chrome extension posing as Perplexity's popular AI search tool was secretly capturing every keystroke typed into the browser address bar and routing that data to an attacker-controlled server, Microsoft researchers discovered.
What the Extension Actually Did
Most browser-based malware waits. This one didn't. The extension inserted itself as a man-in-the-middle directly inside the omnibox — Chrome's combined address-and-search bar — intercepting input as each character landed, exfiltrating it outbound, and only then forwarding the user to their intended destination. The browser behaved completely normally throughout. Victims had no visual cue that anything was wrong.
The practical blast radius is significant. Internal hostnames, half-typed URLs carrying session tokens, draft medical queries, the name of an employer keyed in mid-thought — all of it left the device before the user finished typing. Partial input is often the most sensitive kind, because people type things they would never submit.
Microsoft disclosed the extension to Google. Google removed it from the Chrome Web Store. Neither company has publicly confirmed how many users installed it, how long it was live, or where the command-and-control infrastructure was hosted.
A Repeating Pattern Across AI Brands
This incident is not isolated. Over the past eighteen months, threat researchers have documented fake browser extensions impersonating Perplexity, ChatGPT, Claude, and Gemini. The pattern is consistent: attackers clone a recognizable AI brand, publish to an extension store, and let the brand's own credibility do the social-engineering work. Users searching for a tool they trust install one they shouldn't.
Extension stores offer attackers a low-friction distribution channel that bypasses most traditional endpoint defenses. No phishing email required. No malicious attachment to dodge. The user navigates to an official-looking store page, reads plausible reviews, and clicks "Add to Chrome." That's the entire attack chain.
According to the Verizon 2024 Data Breach Investigations Report, the human element contributed to 68 percent of breaches — and supply-chain-style attacks through trusted third-party channels are an increasingly common vector for that human element to be exploited.
Which Controls Failed
The root failure here is identity verification at the point of software installation. Chrome's Web Store does require developer account registration, but publisher identity is not prominently surfaced during the install flow. A user sees a name, an icon, and a star rating. Both the name and the icon are trivially cloneable. The publisher ID — the only field that distinguishes the real Perplexity from a lookalike — is buried.
Enterprise environments have a second failure mode. Organizations that allow employees to install Chrome extensions without an approved allowlist are effectively outsourcing software-procurement decisions to individual workers, one browser at a time. That is not a policy most security teams would accept for desktop applications. Browser extensions deserve the same scrutiny.
Training matters here, too. Employees who understand that AI-branded tools are a specific impersonation target — and who know to check publisher identity before installation — are measurably harder to fool. Security awareness programs that include browser hygiene and software-vetting scenarios close a gap that no technical control alone can address.
What Defenders Should Do Right Now
For Individual Users
If you installed any Perplexity-branded Chrome extension from a publisher you didn't independently verify, treat your recent browsing session data as potentially exposed. Remove the extension immediately. Open `chrome://extensions` and audit everything installed — remove anything unfamiliar or unused. Rotate credentials for any service where you may have typed a token or session-bearing URL into the address bar. Check `chrome://settings/syncSetup` to confirm the extension hasn't propagated across devices tied to the same Google account.
When reinstalling tools, verify publisher identity explicitly. Name and icon prove nothing.
For Enterprise Security Teams
Pull a full extension inventory from your endpoint management platform now. Cross-reference against an approved allowlist. If you don't have one, building it is the immediate priority.
Chrome Enterprise supports force-install and block-by-extension-ID policies. Use both. Force-install approved extensions from verified publishers; block installation of anything outside that set. Once Microsoft publishes the manifest hash for this package, block it explicitly.
For longer-term resilience, apply the principle of least privilege to browser extensions the same way you apply it to application permissions. Most extensions request far broader access than their stated function requires. An AI search assistant has no legitimate need to read all site data across every domain. Reviewing requested permissions at install time is a fast, low-cost filter.
The Notification Gap
Here's an uncomfortable jurisdictional reality. There is no formal breach-notification trigger when a malicious extension is pulled from an app store. Google is not the data controller for the exfiltrated content. Microsoft is the discoverer, not the custodian of affected users' data. The actual controller — the attacker operating the command-and-control server — is unreachable.
In the EU and UK, if any intercepted queries contained personal data tied to an identifiable individual, GDPR and UK GDPR obligations technically attach to that attacker. Enforcement is, practically speaking, impossible. Affected users will almost certainly never receive a notification.
That makes proactive defense the only realistic option. Waiting for a breach notice to act is not a strategy when the liable party is anonymous and offshore.
The Bigger Lesson
Browser extensions are software. They run with elevated privileges inside the most sensitive application on most people's devices. The install friction is deliberately minimal — that's a product decision by the store operators, not a security endorsement. Organizations and individuals that treat "available in the Chrome Web Store" as a quality signal are misreading what that phrase actually means.
AI brand impersonation in extension stores will continue as long as it works. The technical controls exist — allowlists, publisher verification, permission audits, endpoint telemetry. Pairing those controls with trained users who recognize the pattern is how organizations stop repeating this incident under a different brand name next quarter. See how Train2Secure structures that training around real threat scenarios like this one.
How security awareness training could have stopped this
- Train employees to verify Chrome extension publisher identity — not just name and icon — before installation, especially for AI-branded tools that are frequent impersonation targets.
- Run simulated software-vetting scenarios so staff practice recognizing lookalike tools in extension stores before they encounter a real one.
- Ensure IT and security teams know to audit chrome://extensions across the fleet after any new threat disclosure involving browser add-ons.
Train2Secure offers ready-to-deploy modules covering browser hygiene, third-party software risks, and AI-tool impersonation — built around real incidents like this one.
Start free — no card requiredSources & further reading
Frequently asked questions
How did the fake Perplexity Chrome extension avoid detection?
It mimicked a well-known AI brand and was distributed through the official Chrome Web Store, which many users treat as a trusted source. The extension operated silently — the browser behaved normally, giving victims no visible indication that their omnibox input was being exfiltrated to an external server before each search completed.
What data was stolen by the malicious extension?
Any keystrokes typed into Chrome's address bar were captured character by character. This includes partial URLs, session tokens, internal hostnames, medical or personal search queries, and any other input entered before the user pressed Enter — including content that was never submitted.
Will affected users receive a breach notification?
Almost certainly not. There is no formal breach-notification requirement triggered by an extension-store takedown. The attacker operating the data-collection server is the technical data controller under GDPR, but they are anonymous and unreachable. Users should act proactively rather than wait for any notice.
How can organizations prevent employees from installing malicious browser extensions?
Chrome Enterprise policies allow administrators to enforce an approved extension allowlist and block installations by extension ID. Pairing that technical control with security awareness training that specifically covers AI-brand impersonation significantly reduces the risk of a successful install.



