Full Report
As AI copilots and assistants become embedded in daily work, security teams are still focused on protecting the models themselves. But recent incidents suggest the bigger risk lies elsewhere: in the workflows that surround those models. Two Chrome extensions posing as AI helpers were recently caught stealing ChatGPT and DeepSeek chat data from over 900,000 users. Separately, researchers
Analysis Summary
# Incident Report: Malicious Browser Extensions Siphon AI Chat Data
## Executive Summary
Two malicious Google Chrome extensions posing as legitimate AI helpers were discovered exfiltrating chat data generated by users interacting with ChatGPT and DeepSeek models. The security focus shifted from protecting the models themselves to securing the surrounding user workflows where these tools were integrated. The compromise affected over 900,000 users, leveraging browser extension permissions rather than exploiting the AI models directly.
## Incident Details
- Discovery Date: Undisclosed, but reported in an article published January 15, 2026 (referencing recent incidents).
- Incident Date: Occurred prior to January 15, 2026.
- Affected Organization: Not disclosed (Involves third-party Chrome extensions maintained by unknown actors).
- Sector: General Technology / AI Service Users.
- Geography: Global (Affecting users of the Chrome Web Store).
## Timeline of Events
### Initial Access
- Date/Time: Unknown prior to discovery.
- Vector: Malicious Chrome Browser Extensions.
- Details: Attackers developed and distributed two extensions masquerading as helpful AI assistants via the Chrome Web Store. Users installed these extensions, unknowingly granting them permissions within their browser environment.
### Lateral Movement
- Details: Attackers did not move laterally within organizational networks, but rather exploited the access granted by the browser extension permissions to read specific service data (ChatGPT/DeepSeek chats) accessible through the browser context.
### Data Exfiltration/Impact
- Details: Sensitive chat data, including conversations conducted via ChatGPT and DeepSeek, was stolen from over 900,000 users.
### Detection & Response
- Detection Method: Reported by security researchers who identified the malicious behavior of the published extensions.
- Response Actions: The article implies disclosure and likely removal/suspension of the extensions from the Chrome Web Store by Google/authorities following research findings. (Specific organizational response is not detailed as the breach happened via supply chain/user action).
## Attack Methodology
- Initial Access: **Malicious Browser Extension Installation** (Social engineering/masquerading).
- Persistence: Maintaining presence via the installed extension within the user's browser profile until uninstalled.
- Privilege Escalation: Not applicable in the traditional sense; the attack relied on the **over-permissioned nature of the installed user extensions** to access necessary session data.
- Defense Evasion: Evading security controls by operating within the user's browser session, appearing as legitimate application interaction. Traditional input validation or on-model security controls were ineffective as the attack targeted the *workflow* using the *client-side*.
- Credential Access: Not explicitly stated, but the extension would have access to session tokens or cookies required to read active chat sessions.
- Discovery: N/A (Direct data harvesting).
- Lateral Movement: N/A (Targeted client-side data theft).
- Collection: **Siphoning chat data** from active ChatGPT and DeepSeek sessions running in the browser context.
- Exfiltration: Data was extracted from the browser via the malicious extension channels.
- Impact: Data Theft (Confidential chat logs).
## Impact Assessment
- Financial: Unknown.
- Data Breach: Chat histories and potential sensitive information discussed within ChatGPT and DeepSeek conversations for 900,000+ users.
- Operational: Minimal direct operational impact on organizational infrastructure, but significant data loss for affected users.
- Reputational: Negative publicity for the involved AI services due to workflow vulnerabilities.
## Indicators of Compromise
- Network Indicators: Unknown (Likely communication to attacker-controlled C2 infrastructure originating from client machines).
- File Indicators: Malicious extension files uploaded to the Chrome Web Store (specific hashes not provided).
- Behavioral Indicators: Browser extensions reading/transmitting data related to ChatGPT/DeepSeek web sessions.
## Response Actions
- Containment: Subsequent to discovery, containment measures would include immediate reporting to Google to have the extensions removed from the Chrome Web Store. Users need to manually uninstall the extensions.
- Eradication: Users must revoke permissions and remove the malicious extensions from their browsers.
- Recovery Actions: Affected users must review any shared information in their AI sessions for potential leakage and secure their accounts.
## Lessons Learned
- The primary attack surface for AI integration is the **workflow**, not the model core.
- Inputs (like malicious documents used for prompt injection) and the channels used to interact with the AI (like client-side extensions) are critical vulnerabilities.
- Traditional security controls (like input validation) fail when interaction is based on natural language context rather than executable code.
- AI systems blur application boundaries, creating new, often overlooked, integration pathways.
## Recommendations
- Implement stricter vetting processes (or encourage users to use enterprise-approved versions) for installing third-party browser extensions that interact with sensitive data services.
- Enhance monitoring for anomalous service-to-service traffic patterns associated with AI workflow outputs, even if individual data fetches seem routine.
- Security policies must evolve beyond fixed configurations to monitor and govern the *context* and *output* of AI agents, especially concerning data handling boundaries.
- Organizations should restrict AI assistants' access to highly sensitive internal data until workflow security posture is robust.