- A malicious Chrome extension impersonating the AI search engine Perplexity intercepted and logged user search queries and keystrokes.
- According to Microsoft’s Defender research team, the extension routed all data through an attacker-controlled server before redirecting to legitimate results.
- The malware exploited Chrome’s built-in permissions to set itself as the default search engine and harvest data from the address bar in real-time.
- This incident is part of a broader trend where malicious actors use popular AI branding to lure victims into installing harmful browser extensions.
Microsoft has revealed a malicious Chrome extension posing as Perplexity that secretly logged all user searches in late June 2026. The extension routed every character typed into the browser’s address bar through a hacker-controlled server.
This deceptive add-on, called “Search for perplexity ai,” used a look-alike domain to mimic the legitimate AI search service. Google subsequently removed it from its Web Store following a responsible disclosure.
The extension’s primary function was to intercept searches and collect user data. It leveraged Chrome’s permitted search-provider overrides to set itself as the default search engine.
Consequently, every query was first sent to the attacker’s server, which logged the browser headers, IP address, and user agent. The traffic was then redirected to a genuine search engine like Perplexity, Google, or Bing to appear normal.
Furthermore, the malware also captured live search suggestions from the address bar. This meant every character was stolen as users typed, not just upon submission.
Microsoft’s researchers found no evidence of password theft. However, the extension requested intrusive permissions and shipped server-side code designed solely for data collection.
The malware also included disabled rules to potentially target other search engines and had capacity for future WebAssembly code execution. This incident aligns with a persistent wave of malicious extensions exploiting AI hype.
Microsoft’s own prior research linked similar chat-skimming extensions to nearly 900,000 installs. The key difference here was the direct targeting of search data and keystrokes via the browser’s core functionality.
Security teams are advised to restrict extensions to an approved list and monitor for changed search settings. Users should treat AI-branded tools with extra caution and verify the publisher before installing any extension.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
