Two malicious browser extensions masquerading as legitimate tools have reportedly been installed over 900,000 times, allowing cybercriminals to exfiltrate sensitive user data, including conversations with AI models such as ChatGPT and DeepSeek. The extensions, named Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI—which has more than 600,000 users—and AI Sidebar with Deepseek, ChatGPT, Claude, among others (with over 300,000 users), were designed to extract user conversations and Chrome tab URLs every 30 minutes and relay this information to a command-and-control (C2) server operated by the attackers, according to researchers from OX Security.
The data exposed through these interactions includes proprietary source code, business strategies, competitive intelligence, and personal identifiable information (PII), as outlined in a report released this week by OX Security researchers Moshe Siman and Tov Bustan. The stolen browsing history encompasses complete URLs from all open Chrome tabs, sensitive search queries, and internal corporate URLs, potentially revealing organizational structure and tools.
“This data can be weaponized for corporate espionage, identity theft, targeted phishing campaigns, or sold on underground forums,” the researchers wrote. The risks extend to organizations whose employees may have unknowingly compromised intellectual property, customer data, and confidential business information through these extensions.
The revelation from OX Security adds to a troubling trend of malicious extensions infiltrating online marketplaces. Earlier this month, Koi Security reported another malicious Chrome extension used by over 6 million people, which collected user prompts and chatbot responses across ten popular AI large language models (LLMs), including OpenAI’s ChatGPT and Microsoft’s Copilot. In December, Koi detailed a threat group known as ShadyPanda, which had uploaded legitimate extensions to browser marketplaces over seven years and later deployed malicious updates.
This year has seen further alerts regarding both Google Chrome and Microsoft Edge web stores, where bad actors initially released seemingly legitimate extensions before subsequently weaponizing them through malicious updates. The growing number of extensions used to enhance and customize user browsing experiences has expanded the attack surface for individuals and their companies, according to security experts.
“Browser extensions aren’t niche tools anymore; they’re deeply embedded in how people work,” stated Grip Security researchers Ben Robertson and Guy Katzir. “But that convenience comes with risk, especially when security teams lack visibility into what’s installed, what it can access, or how it behaves after login.” They highlighted that while endpoint agents and network controls are still crucial, they fail to capture activities taking place within browsers, where threats like token hijacking and data leakage can quietly emerge.
In these latest attacks, hackers created extensions that impersonated a legitimate browser tool developed by a company called AITOPIA. This extension features a sidebar for users to interact with popular AI LLMs. The malicious variants retained AITOPIA’s functionality while embedding malware designed to steal conversations from ChatGPT and DeepSeek.
“This approach serves two purposes: it makes the malicious extensions appear functional and useful—thereby increasing download rates—while the familiar AITOPIA interface masks the malicious activity occurring in the background,” Siman and Bustan noted. The malware utilizes broad permissions to monitor user browsing activity, identifying conversation pages on platforms like ChatGPT and DeepSeek to extract both user prompts and AI responses in real-time.
Stolen data is stored locally on victims’ systems and subsequently transmitted in batches to the C2 server. The malware requests user permission to collect anonymized browser behavior. If granted, the extension listens for events such as visited URLs and interactions with ChatGPT and DeepSeek chats.
To maintain access on victims’ systems, the hackers devised a method that ensures at least one of the malicious extensions remains operational. “When one of the extensions is uninstalled, it opens the other malicious extension inside a new tab, tricking users into installing the other extension instead,” the researchers wrote. In an effort to obfuscate their activities, the attackers set up privacy policies and uninstall redirection websites using the coding tool Lovable, complicating the tracing of the websites’ creators.
OX Security reported notifying Google about the malicious extensions on December 29, to which the company responded the following day, indicating that they were reviewing the issue. As the threat landscape continues to evolve, organizations must remain vigilant about the risks posed by browser extensions, particularly as the tools become more integrated into daily workflows.
See also
AI Agents Fall Short in Federal Work: New Study Reveals Limits of Automation
AI-Driven Cybercrime to Reach Trillions by 2026, Threatening Global Security and Economy
S&P Global Partners with Google Cloud to Enhance AI Tools and Workflow Efficiency
NVIDIA Completes $5 Billion Intel Stake Acquisition to Propel Strategic AI Chip Development
Transform Your Portfolio: Unlock AI-Driven Stock Picks for Just $55.19 Today!
