Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input

Microsoft researchers discovered a malicious Chrome extension impersonating Perplexity, the AI search engine. The extension intercepted all search queries and address bar input, routing data through attacker-controlled servers before delivering legitimate results to users.

The extension logged every keystroke typed into the browser's address bar and search field. This gave attackers a complete picture of user browsing intent and search behavior. The malicious code operated silently without alerting users to the data harvesting.

The attack works through a classic interception pattern. Users install what appears to be the genuine Perplexity extension. Once active, it captures data before legitimate searches execute. All information flows to attacker infrastructure, creating a surveillance channel embedded in the browser itself.

Google removed the extension from the Chrome Web Store after Microsoft disclosed the threat through responsible disclosure channels. The timing and specific removal details remain unclear from available information.

This threat targets browser extensions as an infection vector. Extensions operate with elevated privileges compared to regular web content. They can intercept network traffic, access browsing history, and monitor all user input across websites. Malicious actors exploit this trust model by distributing fake versions of legitimate tools.

The attack poses distinct risks to both individuals and organizations. Personal users expose search history and typing patterns tied to sensitive queries. Enterprise users risk exposing work-related searches, credentials typed into the address bar, and proprietary search behavior. The data collected could inform phishing attacks, social engineering campaigns, or competitive intelligence gathering.

Users should audit installed extensions immediately and remove any unfamiliar or suspicious tools. Verify extension sources directly from publisher websites rather than assuming Chrome Web Store listings are legitimate. Enable extension permission reviews and restrict access to browsing data where possible. Organizations should enforce extension policies through device management and restrict what extensions employees can install on corporate systems.

The broader lesson applies to all browser extensions. Threat actors regularly use impersonation tactics to