Skip to content
Security & Trust

175 Chrome Extensions Are Bot Traffic Factories. 863,000 Users Generating Fake Clicks, Injecting Ads, and Harvesting Credentials. Google Hasn't Removed Them.

DomainTools researchers found 152 extensions using browser-level access to redirect searches, inject affiliate codes, exfiltrate cookies, and track browsing. Separately, 23 extensions from the 'AstroForge' campaign steal AI chatbot conversations including Claude, ChatGPT, and Gemini sessions. The Chrome Web Store's review process missed all of them.

· 6 min read
Share on X LinkedIn
175 Chrome Extensions Are Bot Traffic Factories. 863,000 Users Generating Fake Clicks, Injecting Ads, and Harvesting Credentials. Google Hasn't Removed Them.

The Browser Extension Supply Chain

DomainTools published research identifying 152 Chrome extensions operating as coordinated bot traffic factories. The extensions appear to offer utility functions — screenshot tools, PDF converters, weather widgets — but use their browser-level permissions to redirect search queries, inject affiliate codes into e-commerce sites, exfiltrate cookies, and generate fake ad clicks. Combined, these extensions have approximately 863,000 active users. Every installation is a compromised browser sending synthetic traffic across the web.

Separately, researchers identified 23 extensions from the 'AstroForge' campaign that specifically target AI chatbot conversations. These extensions intercept and exfiltrate complete conversation histories from Claude, ChatGPT, Gemini, and other AI platforms. For enterprise users who discuss proprietary code, business strategy, or security configurations with AI assistants, this represents exfiltration of their most sensitive intellectual property through a vector they never considered: a browser extension with 'read and change all your data on all websites' permission.

152 coordinated extensions
Bot traffic extensions
Fake clicks, search redirects, cookie theft, ad injection. Source: DomainTools, June 2026.
23 'AstroForge' extensions
AI chat theft extensions
Steal full Claude/ChatGPT/Gemini conversations. Source: Security researcher disclosure, June 2026.
~863,000 active installations
Affected users
Each installation = compromised browser. Source: Chrome Web Store metrics.

Why This Matters for Web Analytics

WebPulse tracks that 57.5% of HTTP traffic is already non-human. These 175 extensions add a new category: traffic that appears human but is not. When a Chrome extension redirects a search query, clicks an ad, or visits a page, it registers as a real user in every analytics system. Google Analytics counts it. Conversion tracking records it. Ad platforms charge for it. The browser fingerprint is identical to the real user because the browser IS real — only the intent is synthetic.

For web infrastructure operators, this means traffic metrics are less trustworthy than ever. A WordPress e-commerce site seeing a spike in traffic from Chrome users might be seeing real customers — or 863,000 extensions generating fake clicks. Modern frameworks with server-side analytics (Next.js with server components, FastAPI with structured logging) can correlate server-side signals with client-side events to detect anomalies. Client-side-only analytics stacks have no defense against extension-generated synthetic traffic.

The Chrome Web Store Review Failure

All 175 extensions passed the Chrome Web Store's review process. They were published, listed, and recommended to users through Google's own distribution channel. The review process that was designed to catch malicious extensions missed 175 of them simultaneously. This is not an isolated failure — it is a structural limitation of marketplace review. The extensions contain obfuscated JavaScript that behaves normally during review and activates malicious functionality after installation, often after a delay or upon receiving a server-side signal.

The parallel to npm's supply chain problem is exact. npm v12 is disabling install scripts by default because the npm registry's review process cannot catch all malicious packages. Chrome's Web Store faces the same problem with extensions. The marketplace model — centralized distribution with automated review — cannot defend against adversaries who are specifically designing to pass review. The defense must move to the runtime: restricting what extensions can do by default, not trying to detect what they will do before they do it.

The AI Conversation Exfiltration Risk

The AstroForge extensions represent a new attack class: stealing the conversations humans have with AI. Unlike traditional keyloggers that capture typed text, these extensions capture complete dialogue including the AI's responses — which often contain synthesized analysis, code suggestions, and strategic recommendations that go far beyond what the user typed. A developer asking Claude Code to review a security architecture gets their question stolen, but also Claude's detailed analysis of every vulnerability in their system.

This attack vector is invisible to the AI platforms themselves. Anthropic, OpenAI, and Google cannot detect that a browser extension is reading their responses from the DOM. The defense must come from the browser (extension permission restrictions), the enterprise (managed browser policies that control extension installation), or the user (auditing installed extensions). For organizations using AI assistants for sensitive work, unmanaged browser extensions are now an unacceptable risk — equivalent to allowing screen-sharing software from unknown vendors on production machines.

Framework Implications

Web applications cannot defend against malicious browser extensions — the extension has higher privilege than the page. But framework architecture determines how much damage an extension can do. Applications that store sensitive data in DOM-accessible elements (session tokens in cookies without HttpOnly, API keys in localStorage, conversation history in page elements) expose more surface to extension theft. Applications built on API-first architectures with server-side session management, HttpOnly cookies, and minimal client-side state reduce what an extension can extract. The framework is not the defense, but the architecture determines the blast radius.

Share this insight