CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats

Chrome Extensions With 900,000 Downloads Caught Stealing AI Chats

Impersonating a legitimate extension from AITOPIA, the two malicious extensions were also exfiltrating users’ browser activity. The post Chrome Extensions With 900,000 Downloads Caught Stealing AI Chats appeared first on SecurityWeek.

Chrome security

Two malicious Chrome extensions were observed exfiltrating browser data and users’ conversations with ChatGPT and DeepSeek, OX Security reports.

Impersonating a legitimate extension from AITOPIA, the two extensions gathered over 900,000 downloads, potentially impacting as many users.

The applications, called ‘Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI’ and ‘AI Sidebar with Deepseek, ChatGPT, Claude and more’, are no longer available in the Chrome web store.

According to OX Security, the extensions were abusing the AI-powered web development platform Lovable to host infrastructure components and anonymize their activity.

The legitimate AITOPIA extension they were impersonating allows users to chat with popular LLM models through a sidebar on top of visited websites.

The malicious applications copied the legitimate extension and added code that requested user consent to harvest “anonymous, non-identifiable analytics data” but instead stole the users’ complete ChatGPT and DeepSeek conversations.

Both extensions, OX Security says, collected all URLs from Chrome tabs, search queries, URL parameters containing session tokens, user IDs, and other authentication data.

By stealing the URLs from all browser tabs, they potentially leaked internal corporate domains, likely exposing corporate infrastructure and tools, OX Security says.

Depending on how the affected users interacted with the LLM models, the extensions potentially exfiltrated source code and development queries, personally identifiable information (PII), sensitive information such as confidential data and legal matters, and business strategies and planning.

“This data can be weaponized for corporate espionage, identity theft, targeted phishing campaigns, or sold on underground forums. Organizations whose employees installed these extensions may have unknowingly exposed intellectual property, customer data, and confidential business information,” OX Security notes.

Users are advised to remove the malicious extensions from their Chrome browser as soon as possible.

Related: GhostPoster Firefox Extensions Hide Malware in Icons

Related: Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors

Related: Google Fortifies Chrome Agentic AI Against Indirect Prompt Injection Attacks

Related: New Firefox Extensions Required to Disclose Data Collection Practices

Latest News

CYBERNEWSMEDIAPublisher