A malicious Chrome extension impersonating Google's Authenticator application has been identified as part of an ongoing campaign active since early 2026. The extension requests excessive permissions and contains dormant infrastructure suggesting a staged deployment model where malicious updates can be delivered without requiring further user approval. This extension is linked to at least six others through a shared developer front, with two already carrying fully operational malicious payloads. These extensions utilize hidden iframes to inject attacker-controlled content, deploy fraudulent paywalls for free services, and maintain bidirectional communication with command and control servers. The infrastructure maps directly to the AiFrame campaign, which has reportedly compromised over 260,000 users from 2025 to present, marking a continued evolution of this threat.