Malicious browser extensions are turning popular AI chat tools into data collection points, with users of ChatGPT, Claude, Copilot, Gemini, DeepSeek and other platforms exposed through add-ons that appear to offer productivity features while quietly harvesting conversations, browsing activity and personal information.The threat centres on Chrome and other Chromium-based browsers, where third-party extensions marketed as VPNs, AI sidebars, writing assistants and chatbot companions have been found collecting prompts, model responses, full URLs and, in some cases, wider browsing telemetry. The risk has grown as users increasingly share work drafts, code, legal queries, financial details, medical questions and internal business material with generative AI services.
Security analysis of active campaigns shows that the add-ons often behave like ordinary tools after installation, reducing suspicion. Some provide working chat sidebars or browser utilities while running hidden scripts in the background. Others request broad permissions under the cover of analytics, performance improvement or feature enhancement, then use those permissions to watch visits to AI platforms and extract the content of conversations.
One cluster involved extensions that impersonated well-known AI assistant tools and together reached about 900,000 installations before wider exposure. The add-ons were able to collect ChatGPT and DeepSeek conversations and transmit data to attacker-controlled infrastructure at regular intervals. Affected data included user prompts, AI responses, tab URLs, search queries and internal web addresses that could reveal corporate systems, software repositories or business workflows.
Another strand involves add-ons such as Urban VPN, Smart Sidebar and AI Assistant, which have been examined for behaviour linked to the collection of AI chat content. Urban VPN was flagged in connection with a version that targeted multiple platforms, including ChatGPT, Claude, Copilot, DeepSeek, Gemini, Grok, Meta AI and Perplexity. Smart Sidebar, advertised as a browser productivity assistant, was linked to scripts that watched AI chat pages, extracted user inputs and model outputs, and stored interaction data before transmission.
The concern is not limited to individual privacy. Enterprises are facing a widening browser-layer exposure as staff use consumer AI tools for coding, market research, drafting, customer support and document review. A single malicious extension installed on a work device can capture proprietary source code, product plans, sales material, client information, legal notes or confidential strategy discussions. Full URLs can also expose internal application names, ticketing systems, authentication flows and project structures even when the page content itself is not taken.
The attacks exploit a weak point in digital trust. Browser extensions are commonly installed from official marketplaces and may carry polished branding, high ratings, large download counts or familiar names. Some malicious add-ons mimic legitimate tools closely enough to appear safe to casual users. Security researchers have also identified wider abuse patterns in the extension ecosystem, including bait-and-switch updates, remote code loading, hidden data exfiltration, query hijacking and redirection to attacker-controlled domains.
Generative AI has made the problem more attractive for cybercriminals because chatbot conversations often contain concentrated, high-value information. Unlike ordinary browsing records, AI prompts may include summaries of confidential documents, troubleshooting logs, software credentials copied by mistake, unreleased commercial plans or personal disclosures made in a conversational setting. Attackers who capture these exchanges can build detailed profiles of individuals and organisations, support phishing campaigns, identify targets for extortion or mine business intelligence.
The technical methods vary, but the pattern is consistent. Malicious extensions monitor browser activity, detect when a user opens an AI platform, inject or run scripts that observe page changes, capture prompts and responses after they render, and send the information to external servers. Some extensions also collect data from all open tabs, increasing the impact beyond chatbot use. Others preserve identifiers that allow activity to be linked over time, turning a browser add-on into a persistent surveillance mechanism.
Defenders are treating extension governance as a core security control rather than a minor browser setting. Recommended measures include restricting extension installation through enterprise policy, allowing only reviewed add-ons, removing tools that request excessive permissions, disabling unneeded browser sync for extensions, and auditing installed items across Chrome, Edge and other Chromium-based browsers. Users are also being urged to avoid AI assistants with vague publishers, copied branding, broad host permissions or privacy policies hosted on unrelated infrastructure.
Topics
Technology