Malicious Chrome Extensions Steal ChatGPT and DeepSeek Conversations
Cybersecurity researchers have discovered two new malicious extensions in the Chrome Web Store designed to exfiltrate OpenAI ChatGPT and DeepSeek conversations, along with browsing data, to servers under the attackers’ control. This type of attack, which uses browser extensions to stealthily capture AI conversations, has been dubbed “Prompt Poaching” by Secure Annex. Malicious Extensions Identified The two extensions, which together have more than 900,000 users, are: Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI (ID: fnmihdojmnkclgjpcoonokmkhjpjechg, 600,000 users) AI Sidebar with Deepseek, ChatGPT, Claude, and more. (ID: inhcgfpbfdjbjogdfjbclgolkmhnooop, 300,000 users) Both extensions were discovered exfiltrating user conversations and all Chrome tab URLs to a remote command and control (C2) server every 30 minutes. They use a deceptive tactic, requesting consent for “anonymous, non-identifiable analytics data” while actually exfiltrating the entire content of ChatGPT and DeepSeek conversations. ...