900K Users Hit as Malicious Chrome Extensions Steal ChatGPT, DeepSeek Chats

900,000 Users Hit as Malicious Chrome Extensions Steal ChatGPT, DeepSeek Chats

900,000 Users Hit as Malicious Chrome Extensions Steal ChatGPT, DeepSeek Chats

Image: Generated via Google’s Nano Banana

OX Security reveals how malicious Chrome extensions exposed AI chats from ChatGPT and DeepSeek, silently siphoning sensitive data from 900,000 users.

Written By
Ken Underhill
Ken Underhill
Jan 7, 2026

OX Security researchers found that more than 900,000 Chrome users unknowingly exposed sensitive AI conversations after installing malicious browser extensions masquerading as legitimate productivity tools.

The campaign highlights how trusted browser ecosystems can be quietly abused to siphon off proprietary data, personal information, and corporate intelligence at scale.

The malware “… adds malicious capabilities by requesting consent for ‘anonymous, non-identifiable analytics data’ while actually exfiltrating complete conversation content from ChatGPT and DeepSeek sessions,” OX researchers said in a blog post.

How the malicious extensions monitor and collect data

Once installed, the malicious Chrome extensions established persistent visibility into users’ browsing activity by leveraging the chrome.tabs.onUpdated API, which allows extensions to monitor tab changes and page loads in real time.

This capability enabled the malware to silently observe when users navigated to AI platforms such as ChatGPT or DeepSeek without raising suspicion.

When a target page was detected, the extension dynamically interacted with the webpage’s document object model (DOM) to extract sensitive content directly from the browser session. This included full user prompts, AI-generated responses, and session-related metadata that tied conversations to specific users and browsing contexts.

Because the data was harvested from the rendered page itself, the attackers did not need to intercept network traffic or exploit vulnerabilities in the AI services.

How stolen data is aggregated and exfiltrated

Each infected browser instance was assigned a unique identifier, allowing the threat actors to correlate conversations across sessions and build detailed user profiles over time.

In addition to AI chat content, the extensions collected the complete URLs of all open Chrome tabs, providing attackers with visibility into users’ browsing habits, internal applications, and potentially sensitive corporate resources.

The harvested data was temporarily stored locally, then aggregated, Base64-encoded, and transmitted in scheduled batches to attacker-controlled command-and-control (C2) servers approximately every 30 minutes. This periodic exfiltration pattern reduced the likelihood of detection while enabling steady data collection at scale.

Notably, the attack did not rely on sophisticated exploits, privilege escalation, or zero-day vulnerabilities. Instead, it exploited excessive extension permissions and misleading consent prompts that claimed to collect only “anonymous, non-identifiable analytics.”

In reality, the extensions exfiltrated complete, identifiable conversation content and browsing data. This demonstrates how legitimate browser APIs and vague permission language can be abused to enable extensive surveillance under the guise of benign functionality.

Must-read security coverage

Reducing risk from AI-powered browser extensions

As AI-enabled tools become integral to everyday workflows, browser extensions have emerged as a high-risk yet frequently underestimated attack surface.

Effectively managing this risk requires a layered approach that combines strong technical controls, continuous monitoring, and informed, security-aware users.

  • Immediately remove the malicious extensions and review endpoint telemetry to identify affected users, extension IDs, and potential data exposure.
  • Treat browser extensions as a managed attack surface by enforcing allowlists, blocking sideloading, and revalidating extensions when permissions or ownership change.
  • Use endpoint and browser management tools to enforce corporate browser profiles and prevent unauthorized extension installation.
  • Apply data loss prevention (DLP) controls and logging to AI usage to detect and limit the exposure of sensitive data shared with AI platforms.
  • Monitor browser and network activity for indicators of extension-based compromise, including abnormal API usage and suspicious outbound connections.
  • Train employees on the risks of AI-enabled browser extensions and enforce least-privilege access for AI tools.
  • Regularly test incident response plans with extension- and AI-related scenarios to ensure teams can quickly contain breaches and assess data exposure.

Together, these measures help organizations move from reactive cleanup to proactive defense by reducing the risk that browser extensions will become silent gateways for data theft and compromise.

Editor’s note: This article first appeared on our sister publication, eSecurityPlanet.com.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.