Cybersecurity researchers have uncovered a coordinated abuse of the Google Chrome Web Store involving two browser extensions that were secretly designed to collect and exfiltrate user conversations from artificial intelligence platforms such as ChatGPT and DeepSeek, along with detailed browsing information.
The extensions appeared as legitimate AI productivity tools and were marketed as helpers that integrate multiple AI models into the browser. However, behind the scenes, they operated as surveillance tools that quietly harvested sensitive data and transmitted it to servers controlled by unknown threat actors.
Investigators confirmed that the two extensions together had been installed by more than 900,000 users worldwide before their malicious behavior was detected.
The affected extensions were:
- Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI
- AI Sidebar with DeepSeek, ChatGPT, Claude, and more
Both extensions claimed to improve access to AI models through a browser sidebar or shortcut interface, which made them attractive to users who frequently work with AI tools.
How the Data Theft Worked
Once installed, the extensions requested permission to collect what they described as anonymous usage or analytics data. When users granted this permission, the extensions activated hidden functionality that allowed them to monitor browser activity.
The malicious logic was programmed to:
- Track all open browser tabs
- Identify when a user was interacting with AI platforms such as ChatGPT or DeepSeek
- Extract conversation content directly from the web page using Document Object Model (DOM) parsing
- Store the extracted data locally on the user’s device
- Periodically transmit the collected information to remote servers
Researchers found that the extensions sent data at regular intervals, effectively creating a continuous stream of user conversations and browsing activity to attacker-controlled infrastructure.
The exfiltrated data included:
- User prompts and queries entered into AI tools
- AI-generated responses
- URLs of open tabs and internal websites
- Browser metadata associated with user sessions
Because many users use AI tools for work, study, or business purposes, the stolen data may include confidential documents, internal company information, source code, legal discussions, financial details, and personal messages.
Infrastructure and Evasion
The operators behind the extensions used techniques designed to avoid detection and increase trust.
They hosted their configuration files, privacy policies, and supporting web infrastructure on legitimate web hosting and development platforms, making the extensions appear normal and professional.
The privacy policies presented to users described the data collection as anonymized analytics, while the actual behavior involved collecting full conversation content and browser information.
This approach allowed the extensions to remain active for an extended period before security analysts noticed abnormal network traffic and began investigating.
Why the Incident Is Serious
This incident represents a shift in how cyber threats are evolving.
Instead of attacking servers or exploiting software vulnerabilities, the attackers exploited user trust and the browser extension ecosystem itself.
By placing malicious code inside tools that users willingly install and trust, attackers gained access to extremely sensitive data without triggering alarms or obvious signs of compromise.
The stolen information can be used for:
- Corporate espionage and intellectual property theft
- Identity theft and account takeover
- Targeted phishing campaigns using stolen context
- Blackmail or fraud
- Sale of sensitive data on underground markets
Organizations may have unknowingly leaked internal information simply because employees installed these extensions on their work browsers.
Wider Context
Security researchers describe this emerging trend as “prompt harvesting” or “prompt poaching” — the systematic collection of user inputs from AI platforms through third-party software.
As AI tools become more deeply integrated into daily workflows, the data entered into them becomes just as valuable as emails, documents, or passwords.
This incident shows that AI interaction data is now a high-value target for cybercriminals and that browser extensions have become a major attack surface.
Conclusion
The discovery of these malicious extensions demonstrates how cyber threats are shifting away from traditional hacking techniques and toward abuse of trusted platforms and user behavior.
Rather than breaking into systems, attackers are embedding themselves into tools people willingly install.
This incident highlights that the modern cybersecurity challenge is no longer only about protecting networks and servers, but also about protecting the information people type into the tools they trust.