Over 900,000 Chrome users have fallen victim to a sophisticated malware campaign involving two fake AI productivity extensions that impersonate legitimate tools like AITOPIA. Discovered by OX Security researchers in late December 2025, the malicious add-ons — one of which earned Google’s coveted “Featured” badge — secretly exfiltrate complete ChatGPT and DeepSeek conversations, including user prompts, AI responses, and metadata, along with full browsing histories and open tab URLs. Data is Base64-encoded and sent to attacker-controlled servers (e.g., deepaichats[.]com, chatsaigpt[.]com) every 30 minutes via the chrome.tabs.onUpdated API, highlighting the dangerous rise of “prompt poaching” in browser-based AI tools as of January 10, 2026
The malicious extensions were designed to mimic the legitimate AITOPIA tool, which provides a convenient sidebar for interacting with multiple LLMs directly within web pages. By replicating this interface, the attackers evaded initial suspicion while embedding data-stealing capabilities.
The two identified extensions include:
Both extensions deceived users by prompting for consent to collect “anonymous, non-identifiable analytics data,” a seemingly innocuous request that masked the exfiltration of full conversation content from ChatGPT and DeepSeek sessions.
The malware operates by monitoring browser tabs (via chrome.tabs.onUpdated API), generating a unique identifier per victim, scraping DOM elements on targeted sites (chatgpt.com or deepseek.com), storing data locally, Base64-encoding it, and transmitting batches to remote command-and-control (C2) servers every 30 minutes. Attackers further anonymized their infrastructure by abusing platforms like Lovable for hosting privacy policies and other components.
Stolen data poses significant risks, particularly in enterprise environments:
This incident aligns with the emerging trend of “prompt poaching,” where adversaries exploit browser extensions to capture AI interactions, bypassing traditional endpoint protections.
For small and medium-sized businesses (SMBs), this campaign represents a low-barrier, high-impact supply-chain risk. Employees often install productivity extensions on work devices without centralized vetting, inadvertently creating backdoors for data exfiltration. Unlike traditional malware, these threats evade many endpoint detection tools by operating within trusted browser processes.
SMBs should view browser extensions as part of the extended attack surface—similar to SaaS apps or third-party scripts. The presence of a Google “Featured” badge or high install counts no longer guarantees safety, as seen here. Proactive extension management can prevent intellectual property leakage, compliance violations (e.g., GDPR, CCPA), and downstream attacks like credential stuffing or spear-phishing based on stolen chat context.
The following Indicators of Compromise (IOCs) can help security teams detect and respond to this campaign:
Organizations and individual users should take immediate action:
The campaign, reported to Google on December 29, 2025, highlights the need for heightened vigilance as AI tools integrate deeper into daily workflows. While the extensions have since faced restrictions (with one losing its Featured status), the incident serves as a reminder that supply-chain compromises in the browser ecosystem remain a persistent challenge.
“Browser extensions remain one of the most under-monitored parts of the modern attack surface, often granted excessive permissions that enable stealthy, persistent data exfiltration — especially when tied to high-value AI workflows.” OX Security research team, December 2025 analysis
https://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-deepseek-conversations
Over 900,000 Chrome users have fallen victim to a sophisticated malware campaign involving two fake AI productivity extensions that impersonate legitimate tools like AITOPIA. Discovered by OX Security researchers in late December 2025, the malicious add-ons — one of which earned Google’s coveted “Featured” badge — secretly exfiltrate complete ChatGPT and DeepSeek conversations, including user prompts, AI responses, and metadata, along with full browsing histories and open tab URLs. Data is Base64-encoded and sent to attacker-controlled servers (e.g., deepaichats[.]com, chatsaigpt[.]com) every 30 minutes via the chrome.tabs.onUpdated API, highlighting the dangerous rise of “prompt poaching” in browser-based AI tools as of January 10, 2026
The malicious extensions were designed to mimic the legitimate AITOPIA tool, which provides a convenient sidebar for interacting with multiple LLMs directly within web pages. By replicating this interface, the attackers evaded initial suspicion while embedding data-stealing capabilities.
The two identified extensions include:
Both extensions deceived users by prompting for consent to collect “anonymous, non-identifiable analytics data,” a seemingly innocuous request that masked the exfiltration of full conversation content from ChatGPT and DeepSeek sessions.
The malware operates by monitoring browser tabs (via chrome.tabs.onUpdated API), generating a unique identifier per victim, scraping DOM elements on targeted sites (chatgpt.com or deepseek.com), storing data locally, Base64-encoding it, and transmitting batches to remote command-and-control (C2) servers every 30 minutes. Attackers further anonymized their infrastructure by abusing platforms like Lovable for hosting privacy policies and other components.
Stolen data poses significant risks, particularly in enterprise environments:
This incident aligns with the emerging trend of “prompt poaching,” where adversaries exploit browser extensions to capture AI interactions, bypassing traditional endpoint protections.
For small and medium-sized businesses (SMBs), this campaign represents a low-barrier, high-impact supply-chain risk. Employees often install productivity extensions on work devices without centralized vetting, inadvertently creating backdoors for data exfiltration. Unlike traditional malware, these threats evade many endpoint detection tools by operating within trusted browser processes.
SMBs should view browser extensions as part of the extended attack surface—similar to SaaS apps or third-party scripts. The presence of a Google “Featured” badge or high install counts no longer guarantees safety, as seen here. Proactive extension management can prevent intellectual property leakage, compliance violations (e.g., GDPR, CCPA), and downstream attacks like credential stuffing or spear-phishing based on stolen chat context.
The following Indicators of Compromise (IOCs) can help security teams detect and respond to this campaign:
Organizations and individual users should take immediate action:
The campaign, reported to Google on December 29, 2025, highlights the need for heightened vigilance as AI tools integrate deeper into daily workflows. While the extensions have since faced restrictions (with one losing its Featured status), the incident serves as a reminder that supply-chain compromises in the browser ecosystem remain a persistent challenge.
“Browser extensions remain one of the most under-monitored parts of the modern attack surface, often granted excessive permissions that enable stealthy, persistent data exfiltration — especially when tied to high-value AI workflows.” OX Security research team, December 2025 analysis
https://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-deepseek-conversations