HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Fake Perplexity Chrome Extension Spies on User Searches and Logs Data to Attacker Server

A rogue Chrome extension impersonating the Perplexity AI service intercepted and logged every user search, exposing personal queries and device metadata. The incident highlights the need for strict SOC 2 access‑control policies and continuous monitoring of third‑party software.

LiveThreat™ Intelligence · 📅 July 02, 2026· 📰 malwarebytes.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
malwarebytes.com

Fake Perplexity Chrome Extension Spies on User Searches

What Happened — A malicious Chrome extension titled “Search for perplexity ai” was discovered routing every user‑typed query through an attacker‑controlled server, logging the text, IP address, browser headers and user‑agent before forwarding the request to a legitimate search engine. Google removed the extension from the Chrome Web Store, but it remains on any browsers where it was already installed.

Why It Matters for Compliance & Audit Readiness

  • The extension exploited overly‑broad Chrome permissions ( chrome_settings_overrides and declarativeNetRequest ) that were not required for its advertised function—exactly the kind of permission‑bloat a SOC 2 Access Controls audit looks for.
  • Continuous evidence of “least‑privilege” enforcement and periodic inventory of third‑party software are core controls that can prove due diligence to auditors.
  • Security Awareness Training that teaches users to verify extension IDs and permissions helps close the human‑error gap that enabled the install.

Who Is Affected — All Chrome users across industries; particularly enterprises that allow employees to install browser extensions without centralized control (TECH_SAAS, FIN_SERV, EDU_RESEARCH, etc.).

Recommended Actions

  • Conduct an immediate inventory of installed extensions; remove any that are not business‑approved.
  • Enforce a policy that only approved extensions may be installed, and that required permissions are documented and reviewed.
  • Integrate extension‑permission monitoring into your continuous compliance platform to generate audit‑ready evidence of least‑privilege enforcement.

Technical Notes

  • Attack vector: malicious Chrome extension leveraging declarativeNetRequest to intercept and exfiltrate search queries.
  • No CVE; the issue is a supply‑chain style abuse of the Chrome Web Store review process.
  • Data captured: user‑typed queries, IP address, browser headers, user‑agent string.

Source: Malwarebytes Labs

📰 Original Source
https://www.malwarebytes.com/blog/privacy/2026/07/fake-perplexity-chrome-extension-spies-on-your-searches

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →