Malicious Chrome extensions featured by Google have been stealing chat history from ChatGPT and DeepSeek.
-
Two malicious Chrome extensions with 900,000 downloads masquerade as legitimate AI tools from AITOPIA.
-
The compromised extensions exfiltrate DeepSeek and ChatGPT browsing activity and chat history every 30 minutes.
-
OX Security found one malware-infected extension holds a Google Featured badge despite verified spyware concerns.
-
Stolen AI conversations expose sensitive corporate data to risks like weaponized espionage and identity theft.
A new malware campaign was discovered hiding in plain sight on the Chrome Web Store. The malicious extensions masqueraded as a legitimate tool by a company called AITOPIA, which adds a sidebar on top of any website, allowing users to chat with LLMs.
Security researchers at OX Security discovered that the campaign includes two Chrome extensions with over 900,000 combined installations. While the extensions function as advertised, they are interlaced with spyware.
The Cybernews community is talking about this. Be a part of the conversation.
Once installed, plugins begin exfiltrating a user’s chat history with ChatGPT and Deepseek, as well as browsing activity, every 30 minutes. A significant cause for concern is that one of the extensions bears Google’s “Featured” badge.
The extensions are still live. The OX team stated that they had informed Google about their findings, but as of December 30th, the issue is still under review by the Google response team.
Which Chrome extensions were stealing ChatGPT data?
- Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI: This extension has over 600,000 users and a Google Chrome Featured badge.
- AI Sidebar with Deepseek, ChatGPT, Claude, and more: This extension has over 300,000 users.
In their report, researchers highlight that conversations with AI could potentially include very sensitive data, including proprietary code, personal information, and other confidential data.
“This data can be weaponized for corporate espionage, identity theft, targeted phishing campaigns, or sold on underground forums,” OX researchers said.
“Organizations whose employees installed these extensions may have unknowingly exposed intellectual property, customer data, and confidential business information.”
All users who downloaded these Chrome extensions are urged to remove them from their browsers immediately. Additionally, it’s crucial to exercise caution when installing extensions, especially those from unknown sources, even if they display a “Featured” badge.
This is not the first time that functional Chrome extensions have been caught secretly swiping user data. Previously, cybersecurity researchers from Koi found that a Chrome extension with more than six million users, a 4.7-star rating, and a “Featured” badge from Google was actively harvesting users' AI chat conversations.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked