Cybersecurity researchers have identified two malicious Chrome extensions that secretly collect user conversations from OpenAI ChatGPT and DeepSeek, along with browsing data, sending it to servers controlled by attackers. Together, these extensions have been installed by over 900,000 users worldwide.
Identified Malicious Extensions
The extensions are:
- Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI (ID: fnmihdojmnkclgjpcoonokmkhjpjechg, ~600,000 users)
- AI Sidebar with DeepSeek, ChatGPT, Claude, and more (ID: inhcgfpbfdjbjogdfjbclgolkmhnooop, ~300,000 users)
These discoveries follow the earlier detection of Urban VPN Proxy, another extension spying on AI chatbot interactions. Researchers have labeled this exploitation method Prompt Poaching, where browser extensions stealthily harvest AI conversation data.
How the Attack Works
OX Security researcher Moshe Siman Tov Bustan explained that the malicious extensions exfiltrate ChatGPT and DeepSeek chats, along with all Chrome tab URLs, to remote command and control servers every 30 minutes.
To gain user consent, the extensions deceptively request permission to collect “anonymous, non-identifiable analytics data,” while actually harvesting full conversation content.
The rogue extensions imitate a legitimate extension, “Chat with all AI models (Gemini, Claude, DeepSeek…) & AI Agents” by AITOPIA, which has about 1 million users. As of the time of reporting, both malicious add-ons remain available on the Chrome Web Store, though Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI lost its “Featured” badge.
Once installed, the extensions collect data by:
- Scanning the webpage DOM for chat content.
- Storing conversations locally.
- Sending the data to servers such as chatsaigpt[.]com or deepaichats[.]com.
Additionally, attackers use AI-based hosting platforms like Lovable to host privacy policies and infrastructure (chataigpt[.]pro, chatgptsidebar[.]pro) to obscure their activities.
Risks and Potential Impact
These extensions can capture sensitive information including AI chatbot conversations, search queries, and internal corporate URLs. According to OX Security, such data can be used for:
- Corporate espionage
- Identity theft
- Targeted phishing campaigns
- Sale on underground forums
Organizations with employees using these add-ons may have unintentionally exposed intellectual property, confidential business data, or customer information.
Legitimate Extensions Also Engaging in Prompt Poaching
Secure Annex revealed that even legitimate extensions, such as Similarweb and Sensor Tower’s Stayfocusd, are performing prompt poaching. Similarweb introduced AI conversation monitoring in May 2025 and clarified in a January 2026 update that data entered into AI tools is collected for analytics purposes.
The collected data may include prompts, queries, content, uploaded files (images, videos, CSV, text), and AI-generated outputs. DOM scraping and native browser APIs like fetch() and XMLHttpRequest() are used to retrieve this data. Similarweb’s Chrome and Edge extensions exhibit this behavior, while its Firefox add-on has not been updated since 2019.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
