Sunday, July 5, 2026

News

Fake Chrome Extension Impersonated Perplexity AI, Spied on Searches

CybersecurityPatryk RabaJuly 4, 2026

Microsoft's security team found a Chrome Web Store extension impersonating Perplexity AI that intercepted users' search queries, IP addresses and browser headers before redirecting traffic to the real search engine.

Contents
  1. How the Attack Worked
  2. Discovery and Response
  3. A Growing Target for Scammers
  4. What It Means for Polish Users

Microsoft's Defender Security Research team spotted an extension in the Chrome Web Store impersonating Perplexity AI that was actually spying on user queries instead of handling them. The discovery was announced on June 29, with details published by Malwarebytes on July 1. The extension carried a name directly referencing the popular AI search engine, meant to lull people looking for its official browser add-on into a false sense of security.

How the Attack Worked

The mechanism relied on redirecting traffic through a spoofed domain, perplexity-ai.online, deceptively similar to the real service's address. The extension used two browser permissions, chrome_settings_overrides and declarativeNetRequest, which are each standard and harmless on their own but together let it intercept queries before they ever reached the real search engine. That kept the results shown to users looking normal while the eavesdropping stayed invisible.

The scope of data collected was broad. The extension captured search content along with metadata, including IP address, browser headers and user-agent identifier. More troubling, it logged data in real time, capturing even text a user typed and then deleted before submitting a query.

Discovery and Response

After Microsoft's team reported it, Google removed the malicious extension from the Chrome Web Store. That doesn't close the case for anyone who had already installed it, though, since removal from the store doesn't automatically uninstall the add-on from browsers where it's already running.

Anyone who downloaded the extension has to remove it manually from their list of installed add-ons. Who was behind the operation hasn't been publicly established, and Malwarebytes hasn't given an exact number of affected users, which makes the scale of the leak hard to gauge.

A Growing Target for Scammers

Perplexity has for months been among the fastest-growing AI tools, with partnerships with Samsung, Deutsche Telekom and Airtel and millions of corporate users, which makes its brand an attractive lure. The more popular a given AI tool becomes, the greater the temptation for criminals to impersonate its name in extension stores, mobile apps or fake login pages.

The combination of permissions used in this attack exposes a weakness in how extension stores vet submissions. Individual permissions pass automated review because they're commonly used by legitimate add-ons, and it's only their combination for a specific purpose that reveals malicious behavior, something hard to detect without manual code analysis.

What It Means for Polish Users

For companies using AI tools for research or competitive analysis, the risk is practical, since intercepted queries can expose confidential business plans, customer data or strategies before they ever reach any AI provider. It's worth installing extensions only from direct links given on official vendor sites and checking what permissions an add-on requests before adding it to a browser.

The case fits a broader pattern in which the popularity of AI tools becomes a double-edged sword, since the same brand recognition that draws users also draws scammers. As more companies and institutions in Poland roll out AI assistants for daily work, controlling which plugins and extensions end up on company hardware is becoming part of basic security hygiene.

Sources: Fake Perplexity Chrome extension spies on your searches (malwarebytes.com).

Share: