Sarah Chen
If you use ChatGPT or DeepSeek through your browser, what you're about to read should genuinely concern you. Two Chrome extensions, installed by over 900,000 users combined, were silently stealing every conversation these users had with AI chatbots. The worst part? One of them carried Google's own "Featured" badge.
Let me break this down: this isn't a hypothetical attack scenario. It already happened, and the technique is so sophisticated that security researchers have given it a specific name β Prompt Poaching.
The discovery was made by researcher Moshe Siman Tov Bustan from security firm OX Security on December 29, 2025. The attack name was coined by John Tuckner, founder of Secure Annex, and it represents an entirely new category of threat targeting anyone who uses AI through a browser.
In this article, I'll break down exactly what happened, how the attack worked technically, what data was stolen, and most importantly, what you can do right now to check if you're affected.
The Two Extensions That Fooled 900,000 Users
The culprits were two extensions available on the Chrome Web Store, Google's official extension marketplace:
- "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" β approximately 600,000 installs
- "AI Sidebar with Deepseek, ChatGPT, Claude, and more" β approximately 300,000 installs
Both extensions masqueraded as legitimate tools that integrated multiple AI models directly into the browser. In fact, they copied the interface and functionality of AITOPIA's legitimate AI Sidebar extension, a real and trustworthy tool. The impersonation was nearly perfect.
But here's the truly alarming part: the first extension, the one with 600,000 installs, carried Google's "Featured" badge. Google had marked it as a recommended extension. This badge is designed to indicate that an extension meets high standards of quality and security. The fact that a piece of malware obtained it reveals a serious failure in the Chrome Web Store's review process.
To put it in perspective: when a user searched for "ChatGPT" or "DeepSeek" in the extension store, these appeared among the top results, with high ratings and hundreds of thousands of downloads. Everything looked legitimate. Everything was a trap.
How the Attack Worked: DOM Scraping Every 30 Minutes
Let me break this down: the attack used a technique called DOM scraping, which involves directly reading the content displayed on the web page the user is visiting.
When you open ChatGPT or DeepSeek in your browser, the entire conversation is rendered in the DOM (Document Object Model), which is essentially the page's structure. The malicious extension had access to this DOM because users had granted the necessary permissions during installation β something that seems normal for an AI extension that promises to "enhance your experience."
The process worked as follows:
- Constant monitoring: The extension ran a background script that watched the browser's open tabs.
- AI platform detection: When it detected the user was on ChatGPT, DeepSeek, or another AI platform, it activated the extraction module.
- DOM scraping: Every 30 minutes, the extension read all visible conversation content: your prompts, the AI's responses, and even previous conversation history if it was loaded.
- Base64 encoding: The collected data was encoded in Base64 format, which isn't real encryption but simply a way to obscure the content so it wasn't immediately readable in transit.
- Silent exfiltration: The encoded data was sent to remote servers controlled by the attackers.
But the theft wasn't limited to AI conversations. The extensions also collected all URLs open in Chrome and the user's search queries. This means the attackers didn't just know what you asked ChatGPT β they also knew what pages you visited and what you searched on Google.
Infrastructure Anonymized with AI
A particularly ironic detail: the attackers used Lovable, an AI-powered web development platform, to create and anonymize their server infrastructure. In other words, they used artificial intelligence to steal data from artificial intelligence users. The irony is hard to ignore, but it also signals a concerning trend: AI tools are making it easier to create more sophisticated malware, as we've also analyzed in our article about privacy in Google's Gemini services.
What Data Was Stolen Exactly
Let's be specific about the scope of the theft, because it's worse than it appears at first glance:
- Complete ChatGPT conversations: Every prompt sent and every response received. If you asked ChatGPT to review a confidential contract, the attackers have that contract.
- Complete DeepSeek conversations: The same applies to this platform. Code, ideas, personal data, everything.
- URLs from all tabs: A complete map of your browsing activity, including access to banks, email, social networks, and any page visited.
- Search queries: Everything you searched on Google or other engines while the extension was active.
- Session metadata: Information about when and how you used the browser.
Think about everything you've asked ChatGPT in recent months. Business strategies, proprietary code, medical data, financial information, personal conversations. All of that potentially in the hands of strangers.
This is not a minor problem when we consider that 99% of enterprise users have at least one extension installed in Chrome, according to industry data. In corporate environments, a single compromised extension can expose trade secrets, intellectual property, and data regulated by frameworks like GDPR or HIPAA.
Not the First Time: Chrome Extensions' Dark Track Record
The Prompt Poaching case is serious, but it's not an isolated incident. Chrome extensions have been an underestimated attack vector for years. Here's a comparison of the most relevant incidents:
| Incident | Extension | Users Affected | Data Stolen | Data Destination |
|---|---|---|---|---|
| Prompt Poaching (2025) | Chat GPT for Chrome / AI Sidebar | 900,000+ | AI conversations, URLs, searches | Anonymous servers |
| Urban VPN | Urban VPN (extension and app) | 8,000,000+ | Complete browsing traffic | Sold to BiScience (data broker) |
| Similarweb | Similarweb extension | 1,000,000+ | Complete browsing history | Commercial use (analytics) |
| StayFocusd | StayFocusd | 600,000+ | Browsing data | Undisclosed third parties |
The Urban VPN case is particularly chilling: with 8 million users affected, the company sold browsing data to BiScience, a data broker that marketed it to third parties. Users believed they were protecting their privacy with a free VPN, when in reality they were giving away their entire online activity.
The pattern is clear: free extensions that seem too good to be true usually are. And the problem isn't limited to unknown extensions; even popular tools like Similarweb have been flagged for excessive data collection practices.
How to Check If You're Affected: Step-by-Step Guide
If you use Chrome and any AI-related extension, follow these steps right now:
Step 1: Review Your Installed Extensions
- Open Chrome and type
chrome://extensions/in the address bar - Look specifically for these two extensions:
- "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI"
- "AI Sidebar with Deepseek, ChatGPT, Claude, and more"
- Important: although Google removed them from the Chrome Web Store, removal from the store does NOT automatically uninstall them from your browser. If you have them installed, they're still there.
Step 2: Uninstall Immediately
If you find either one:
- Click the "Remove" button on the extension
- Confirm the removal
- Restart Chrome completely (close all windows and reopen)
Step 3: Change Your Passwords
If you had either of these extensions:
- Change your ChatGPT and DeepSeek passwords immediately
- Change passwords for any service you accessed from Chrome while the extension was active
- Enable two-factor authentication (2FA) on all critical services
Step 4: Review Permissions on All Your Extensions
- In
chrome://extensions/, click "Details" on each extension - Review the permissions section
- Be suspicious of any extension that requests:
- "Read and change all your data on all websites"
- "Read your browsing history"
- Access to "all URLs"
Step 5: Audit Sensitive Conversations
Make a list of the most sensitive conversations you had with ChatGPT or DeepSeek:
- Did you share proprietary code?
- Did you include personal data about clients?
- Did you discuss confidential financial information?
If the answer to any of these is yes, notify your security team or take steps to mitigate the exposure of that information.
How to Protect Yourself: 7 Essential Preventive Measures
Beyond checking if you're affected, these are the best practices to avoid falling victim to similar attacks in the future:
1. Principle of minimal extensions: Only install extensions you truly need. Every extension is a potential attack vector. If you're not actively using it, remove it.
2. Verify the developer: Before installing any extension, check who the developer is. Look for their website, social media presence, and whether they have other published extensions. The Prompt Poaching attackers impersonated AITOPIA, a real company.
3. Don't blindly trust badges: As we saw, even Google's "Featured" badge doesn't guarantee security. It's a useful indicator, but it's not infallible.
4. Read permissions before installing: If an AI extension requests access to "all websites" and your "browsing history," ask yourself why it needs that. A legitimate AI extension should only work on the specific domains where it operates.
5. Use separate Chrome profiles: Create a dedicated Chrome profile for AI work, without unnecessary extensions. This way, even if an extension is malicious, the scope of damage is limited.
6. Periodically review your extensions: At least once a month, go to chrome://extensions/ and review what you have installed. Remove anything you don't recognize or don't use.
7. Consider browser alternatives: For especially sensitive conversations, use the official desktop applications for ChatGPT or DeepSeek instead of the browser. Native applications are not exposed to malicious extensions.
These security measures are especially relevant if you also use your browser for other productivity tools. In our Notion vs Obsidian comparison we analyzed how to choose tools that respect your privacy, and in our article about Chrome Auto Browse with Gemini we explored the new AI features built into the browser itself, which could reduce the need for third-party extensions.
The Systemic Problem: Why Chrome Web Store Fails
This incident exposes a structural problem that goes beyond two malicious extensions. The Chrome Web Store has a review model that doesn't scale against the sophistication of modern attacks.
Consider the numbers: there are more than 250,000 extensions in the Chrome Web Store. Google's review team, however large, cannot manually analyze every extension's code or monitor changes introduced in updates after initial approval.
Attackers exploit this model in several ways:
- Late malicious updates: They publish a clean extension, accumulate installs and positive reviews, then introduce malicious code in a later update.
- Code obfuscation: The exfiltration code is hidden within seemingly legitimate functions, using techniques like the Base64 encoding we saw in this case.
- Brand impersonation: They copy the name, description, and screenshots of legitimate extensions to confuse users.
Google has taken measures such as the Manifest V3 program, which limits the permissions extensions can request, but security experts agree that it's not enough. Manifest V3 makes certain types of attacks harder, but it doesn't prevent the DOM scraping used by the Prompt Poaching extensions, since reading page content is legitimate functionality for many extensions.
The security community has proposed solutions including mandatory code audits for extensions with over 100,000 installs, automated network traffic monitoring from extensions, and proactive user alerts when an extension is removed for security reasons (instead of simply deleting it from the store without notifying those who already have it installed).
The Future of AI Extension Security
The Prompt Poaching attack marks a turning point. As more people integrate AI tools into their daily workflow, the attack surface grows exponentially.
AI conversations are not simple Google searches. They contain deep context: business strategies, source code, personal data, private reflections. The value of this data to an attacker is enormously greater than a simple browsing history.
OX Security researchers warn that these types of attacks will likely multiply in 2026, especially targeting enterprise users who use generative AI for critical tasks. The recommendation is clear: treat your AI conversations with the same level of security you apply to your passwords and financial data.
The next time you install a Chrome extension that promises to "enhance your ChatGPT experience," remember that those 900,000 users also thought they were installing something useful. The difference between security and vulnerability often comes down to a single click.
Frequently Asked Questions
Did Google remove the malicious extensions from the Chrome Web Store?
Yes, both extensions were removed from the Chrome Web Store following OX Security's report. However, removal from the store does not automatically uninstall the extension from browsers where it was already installed. If you had it, you must remove it manually from chrome://extensions/.
What exactly is "Prompt Poaching"?
It's the name John Tuckner, founder of Secure Annex, gave to this specific type of attack. It literally means "poaching prompts" and refers to the systematic theft of conversations users have with AI assistants like ChatGPT or DeepSeek.
Does this only affect Chrome or other browsers too?
These specific extensions were on the Chrome Web Store, so they affect Chrome and all Chromium-based browsers (Edge, Brave, Opera, Vivaldi). If you installed either of these extensions on any of these browsers, you're affected.
How can I know if my data has already been sold or used?
Unfortunately, there's no direct way to know. The exfiltrated data was sent to servers controlled by the attackers, and there's no public information about what they did with it. The best strategy is to assume the information was compromised and act accordingly: change passwords, enable 2FA, and monitor your accounts.
Are official AI extensions (like ChatGPT's) safe?
Official extensions developed by OpenAI, Google, or Anthropic go through much more rigorous development and auditing processes. However, no software is 100% secure. The key is to always verify that you're installing the official extension (check the verified developer) and not an imitation.
