Full Report
Cybersecurity researchers have discovered two new malicious extensions on the Chrome Web Store that are designed to exfiltrate OpenAI ChatGPT and DeepSeek conversations alongside browsing data to servers under the attackers' control. The names of the extensions, which collectively have over 900,000 users, are below - Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI (ID:
Analysis Summary
# Incident Report: Malicious Chrome Extensions Exfiltrating AI Chat Data ("Prompt Poaching")
## Executive Summary
Cybersecurity researchers discovered two malicious Chrome browser extensions designed to execute "Prompt Poaching" by stealthily harvesting confidential conversations from OpenAI ChatGPT and DeepSeek sessions, as well as general browsing history. These extensions collectively compromised the data of approximately 900,000 users before detection. The extensions were removed or flagged following disclosure, mitigating further immediate compromise via the CWS.
## Incident Details
- Discovery Date: Prior to January 06, 2026 (when the research was published)
- Incident Date: Likely ongoing leading up to discovery.
- Affected Organization: Users of the compromised Chrome extensions ("Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" and "AI Sidebar with Deepseek, ChatGPT, Claude, and more.").
- Sector: Technology/Software Distribution (Chrome Web Store), Users of AI Services.
- Geography: Global (Platform-based compromise).
## Timeline of Events
### Initial Access
- Date/Time: Unknown, but active leading up to January 2026.
- Vector: Installation of malicious third-party extensions downloaded from the official Chrome Web Store.
- Details: Attackers published two malicious extensions impersonating legitimate tools. Users installed them based on trust or perceived utility, granting permissions under the guise of requesting consent for "anonymous, non-identifiable analytics data."
### Lateral Movement
- Not applicable in the traditional sense; the compromise was focused on data extraction from the browser environment of the end-user device running Chrome.
### Data Exfiltration/Impact
- Happened every 30 minutes immediately following installation and user consent.
- Details: The malware specifically scanned the Document Object Model (DOM) of active web pages (ChatGPT, DeepSeek interfaces) to extract full conversation content. Simultaneously, it harvested all open Chrome tab URLs.
### Detection & Response
- Date/Time: Detection occurred concurrent with the research published by OX Security (reference cited Jan 06, 2026).
- Details: Researchers identified the data exfiltration patterns targeting specific C2 servers. Response involves reporting the findings to Google for removal/suspension of the extensions from the Chrome Web Store.
## Attack Methodology
- Initial Access: Installation of malicious extensions ("Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" and "AI Sidebar with Deepseek, ChatGPT, Claude, and more.") from the Chrome Web Store.
- Persistence: Maintained access via the privileged permissions granted to the installed browser extension (running within the user's browser profile).
- Privilege Escalation: Not applicable; relied on deceiving users into granting standard extension permissions.
- Defense Evasion: Impersonated a legitimate, popular extension ("Chat with all AI models (Gemini, Claude, DeepSeek...) & AI Agents") to build initial trust. Used deceptive permission requests for "analytics."
- Credential Access: Not explicitly mentioned accessing system credentials, but harvested session data/context.
- Discovery: Identified specific DOM elements related to active AI chatbot sessions.
- Lateral Movement: N/A (User-specific compromise).
- Collection: Harvesting of current browser tab URLs and extraction of full conversation text from ChatGPT and DeepSeek sessions.
- Exfiltration: Data sent every 30 minutes to remote C2 servers (`chatsaigpt[.]com` or `deepaichats[.]com`) every 30 minutes. Attackers leveraged Lovable to host associated infrastructure (`chataigpt[.]pro` or `chatgptsidebar[.]pro`).
- Impact: Espionage, theft of confidential data, and potential financial fraud via phishing.
## Impact Assessment
- Financial: High potential for financial loss due to corporate espionage or identity theft resulting from exposed data. Specific costs are unavailable.
- Data Breach: Sensitive conversational data from AI tools (potentially containing proprietary information, client data, sensitive research) and browsing history (search queries, internal corporate URLs). Affected over 900,000 users.
- Operational: Minimal direct operational disruption to the victims' machines, but high risk of IP loss or breaches in organizations where employees installed the extensions.
- Reputational: Significant reputational damage to the affected AI service providers and Google/Chrome Web Store for hosting malicious software.
## Indicators of Compromise
- Network Indicators (Defanged):
- `chatsaigpt[.]com`
- `deepaichats[.]com`
- `chataigpt[.]pro`
- `chatgptsidebar[.]pro`
- File Indicators: Malicious code embedded within the extension package files.
- Behavioral Indicators: Regular, periodic (every 30 minutes) transmission of large amounts of user session data over HTTPS to known suspicious domains, originating from browser processes.
## Response Actions
- Containment measures: Researchers/Security vendors reported the malicious extensions to Google. Google likely suspended or delisted the extensions from the Chrome Web Store.
- Eradication steps: Affected users must manually uninstall the malicious extensions.
- Recovery actions: Users must assume all data shared with those AI services while the extension was active has been compromised and take necessary precautions (e.g., resetting related passwords, alerting internal security teams if corporate data was exposed).
## Lessons Learned
- Browser extension vetting must be more rigorous, even for tools that appear benign or functionally useful.
- Users remain susceptible to social engineering that convinces them to accept broad permissions under vague justifications ("analytics").
- Attackers are actively weaponizing the trust associated with popular brands (ChatGPT, Claude) to distribute malware via official developer portals.
## Recommendations
- **For Users:** Carefully vet the functionality requested by browser extensions against their stated purpose. Avoid installing extensions that promise integration with multiple proprietary services unless they come from the original service provider.
- **For Platform Owners (Google):** Enhance automated scanning and auditing of extensions that interact with high-value DOM elements or known session storage areas, especially those related to cutting-edge AI services.
- **For Organizations:** Implement policies restricting or monitoring the installation of third-party browser extensions across corporate devices, especially for employees interacting with sensitive or proprietary data via web applications.