Home · Live brief · Daily brief 2026-06-30
A malicious "Perplexity AI" Chrome extension intercepted every address-bar keystroke via a search-suggest override
Part of run 2026-06-30-9aaa1114 (intel · Claude Opus 4.8 (1M context))
Microsoft Defender researchers found a malicious Chrome extension ("Search for perplexity ai") that abused Chrome's search-settings override API — specifically the suggest_url parameter — to exfiltrate every character typed into the address bar in real time before redirecting to legitimate results (Microsoft Security Blog, 2026-06-29 · The Hacker News, 2026-06-30). It used declarativeNetRequest rules for a two-hop redirect: the first hop shipped the query plus live autocomplete keystrokes to attacker infrastructure (server-side Node.js logging full headers, UA, and source IP), the second returned real results so the user noticed nothing. Google pulled the extension after disclosure. It is part of a broader AI-brand-impersonation trend Microsoft is tracking.
Why it matters to us: AI-brand impersonation is an easy lure for staff reaching for popular assistant tools. Enforce an enterprise extension allowlist via Group Policy / Intune, and monitor Chromium policy for unexpected changes to DefaultSearchProviderSuggestURL on endpoints with access to sensitive systems.