New research out today from browser security company SquareX Ltd. is warning of a new class of browser-based attack known as AI Sidebar Spoofing, which exploits users’ trust in artificial intelligence assistants built into modern browsers.

The technique involves leveraging malicious extensions that impersonate trusted AI sidebar interfaces, tricking users into executing harmful commands that can result in credential theft, device hijacking and password exfiltration.

The attack specifically targets the AI sidebars now common in next-generation AI browsers such as Perplexity AI Inc.’s Comet, as well as consumer browsers integrating AI features such as Microsoft Edge, Brave and Firefox. Although not covered in the research itself, SquareX’s researches have also found in early testing that OpenAI’s Atlas browser, which launched yesterday, is also vulnerable.

The technique involves rendering an indistinguishable AI sidebar user interface inside a browser via a malicious extension. The UI then emits AI-style guidance that contains modified links or system commands. Because the interface mirrors what users expect, victims often follow the steps and end up disclosing credentials, executing attacker-supplied commands, or enabling persistent device takeover.

“AI has become an essential tool for millions of users to learn new skills and complete tasks,” said SquareX founder and Chief Executive Vivek Ramachandran. “Unfortunately, this has created a dangerous dynamic where people blindly follow AI-generated instructions without the expertise to identify security risks. With no visual or workflow difference, the AI Sidebar Spoofing attack exploits the trust users place on these AI interfaces, tricking them into performing malicious tasks that they may not fully understand or are aware of.”

The research outlines three case studies that demonstrate the attack’s potential impact. In one example, a user asking how to withdraw cryptocurrency receives instructions containing a phishing link disguised as a Binance login page, leading to the theft of their credentials and digital assets. Other examples include AI-generated prompts that persuade users to run system commands, granting attackers remote access or allowing them to exfiltrate stored passwords.

SquareX researchers note that the threat also extends beyond specialized AI browsers, as the spoofing can occur in any browser that supports AI sidebar extensions; simply restricting AI browser use within organizations does not eliminate the risk. Added to the mix is that the attacks can operate with standard browser permissions, similar to those requested by popular productivity tools such as Grammarly or password managers, making them difficult to detect.

The company recommends that enterprises adopt dynamic behavioral analysis for browser extensions and implement browser-native guardrails that warn users against executing risky commands or following suspicious AI-generated links.

Image: SquareX