Malicious Chrome extensions harvest AI conversations from 900K users

What happened?

In December 2025, security researchers discovered malicious Chrome browser extensions that were secretly collecting users' conversations with AI chatbots like ChatGPT and DeepSeek. These have now been removed following responsible disclosure by researchers. Over 900,000 people downloaded these extensions, believing they were legitimate productivity tools.

The two main extensions were:

• Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI – downloaded by 600,000 users and marked with Google's "Featured" badge, suggesting it was trustworthy
• AI Sidebar with Deepseek, ChatGPT, Claude and more - downloaded by 300,000 users

Both extensions pretended to be linked with a legitimate tool called AITOPIA, which adds a helpful sidebar to websites for chatting with various AI services. They functioned as expected from a user perspective but covertly exfiltrated data in the background.

The extensions requested permission to collect "anonymous, non-identifiable data" to improve user experience. In practice, they collected full AI conversation content (user prompts and AI responses) as well as active browser tab URLs, transmitting this information to attacker-controlled servers approximately every 30 minutes.

Some researchers observed deceptive persistence behaviour, where uninstalling one extension could trigger the opening or promotion of the companion extension in a new browser tab. This behaviour was reported during analysis but may not have occurred consistently across all installations.

So what?

Conversations with AI tools frequently contain sensitive personal and organisational information. Employees may share confidential business plans, proprietary code, customer data, or competitive strategies when seeking AI assistance.

If installed on corporate devices, these malicious extensions may have exposed:

• Intellectual property and proprietary information shared with AI tools
• Business strategies and competitive intelligence discussed in AI conversations
• Customer data or personally identifiable information analysed using AI services
• Internal company URLs and browsing context visible in active tabs

This information could be valuable to competitors seeking business intelligence, criminals conducting targeted social engineering, or data brokers aggregating behavioural data. Potential consequences include competitive disadvantage, regulatory compliance issues, or targeted phishing attacks informed by internal knowledge.

The fact that one malicious extension previously received a Google "Featured" badge underscores that official store placement and trust indicators do not guarantee privacy or security vetting.

What should I do?

Organisations should take straightforward steps to protect against this type of threat without causing unnecessary disruption to business operations. Review managed systems for the presence of the malicious Chrome extensions listed in the Indicators of Compromise (IoC) table below.

Immediate actions

• Assess potential exposure: Identify users who installed the extensions and evaluate what categories of information may have been shared via AI conversations during the affected period.

Long-term measures

• Control extension installations: Implement browser management policies that restrict extension installation to an approved allow-list. Organisations should centrally govern which browser extensions and plugins are permitted to be installed and executed on corporate-managed devices, in alignment with recognised security best practices such as CIS Critical Security Control 9.4.
• Use enterprise AI services: Where AI use is business-critical, prefer enterprise offerings (e.g. ChatGPT Enterprise, Claude for Work) that provide contractual data protection assurances.
• Establish clear AI usage guidance: Provide employees with guidance on safe AI usage, emphasising that confidential, proprietary, or regulated data should not be shared with public AI services.
• Educate staff: Reinforce that extension store trust indicators do not guarantee privacy protection and that privacy policies should be reviewed before installation.

Indicators of Compromise (IoCs)