.png){kind=logo}
Cybersecurity researchers at OX Security identified two malicious Chrome extensions that harvested AI chat data at scale. The extensions captured ChatGPT and DeepSeek conversations and collected users' browsing context. OX Security linked the campaign to roughly 900,000 installs across both listings.
OX Security said the operators copied AITOPIA’s branding and user experience. The fake tools still showed an AI sidebar, so users saw familiar features during browsing. However, the code added hidden background collection routines.
The researchers flagged two listings by name. One listing used the title "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI." The other used "AI Sidebar with Deepseek, ChatGPT, Claude, and more."
On December 31, the Chrome Web Store page showed about 600,000 users for the first extension. The second listing showed about 300,000 users. The first listing also displayed a Google "Featured" badge.
OX Security said the legitimate AITOPIA extension discloses that it stores chats created through its own sidebar. In contrast, the clones pulled conversation text from third-party sites, including ChatGPT and DeepSeek.
The extensions requested permissions that allowed access to website content and user activity. They framed the access as analytics collection. However, the code monitored browsing and extracted content from AI sites.
OX Security said the malware checked URLs for the strings "chatgpt" and "deepseek.’ It then reads chat messages from page elements. It captured prompts and responses and stored the text in a local database.
Every 30 minutes, the extensions sent the collected data to command-and-control servers. OX Security said the package included chat content and full tab URLs. The code used Base64 encoding during transfer, and researchers tied infrastructure to deepaichats[.]com.
The "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" listing displayed the "Featured" label. It also stated it followed recommended practices for Chrome extensions.
Store disclosures for both listings said the extensions handled website content and user activity. One listing also listed web history among the handled data types.
OX Security said stolen AI chats can include source code, internal planning notes, and personal data shared during support queries. Meanwhile, full URLs can expose internal dashboards, employee tools, and session-related parameters in links.
OX Security reported the extensions to Google on December 29, 2025. It said Google acknowledged the report and placed the issue under review on December 30. OX Security also said the threat actors used Lovable-hosted assets to support parts of the operation.
Also Read: Why is Bard Not as Competitive as ChatGPT
