Fake AI Chrome Extensions Hijack ChatGPT and DeepSeek Data, Exposing 900,000 Users

A sophisticated browser-based espionage campaign has quietly compromised the data of nearly 900,000 users by abusing trust in popular AI tools. Security researchers have uncovered a network of fake AI-powered Chrome extensions designed to mimic legitimate productivity assistants, while secretly siphoning sensitive user data and transmitting it to attacker-controlled servers.

The operation highlights a growing risk at the intersection of artificial intelligence and browser ecosystems, where convenience and novelty often override caution. By cloning the branding and functionality of a genuine AI extension, threat actors were able to blend into the Chrome Web Store long enough to reach a massive audience.

How the fake AI extensions worked

The malicious extensions were near-identical copies of a legitimate AI assistant designed to help users interact with large language models directly from their browser. Once installed, they appeared to function as advertised, offering AI-generated responses, summaries, and productivity features that closely matched the original tool.

Behind the scenes, however, the extensions injected additional JavaScript logic that monitored user interactions. Prompts typed into ChatGPT and DeepSeek interfaces were silently captured, along with AI-generated responses, session metadata, and in some cases authentication tokens tied to the user’s browser session.

What data was stolen and why it matters

The scale of the exposure is significant. Researchers estimate that up to 900,000 users installed one or more of the rogue extensions before they were taken down. The harvested data includes AI prompts, generated outputs, and browser identifiers, which together can reveal business plans, internal code snippets, confidential research, or personal information users assumed was private.

For attackers, this data is extremely valuable. AI prompts often contain raw thoughts, unfinished work, and sensitive context that would never appear in a polished document. In enterprise environments, they can expose proprietary workflows, credentials pasted by mistake, or strategic discussions happening in real time.

Command and control infrastructure uncovered

Analysis of the extensions’ network traffic showed regular outbound connections to remote command and control servers. These servers received compressed data packets containing captured prompts and responses, effectively turning each infected browser into a live data tap.

The infrastructure was designed to be low-noise. Instead of flooding the network with traffic, the extensions sent small, periodic updates, making detection difficult for both users and many security tools. This approach allowed the campaign to persist for weeks without drawing attention.

Why AI-themed extensions are an attractive lure

AI tools have become embedded in daily workflows at remarkable speed. From developers and marketers to students and executives, users are eager to enhance productivity with minimal friction. Browser extensions promise exactly that, instant access with a single click.

Threat actors are exploiting this demand. AI branding carries an implicit sense of innovation and legitimacy, and users are less likely to scrutinise permissions when the extension claims to improve efficiency. In this case, broad permissions allowed the malicious code to read and modify data on visited pages, opening the door to large-scale surveillance.

Warning signs users may have missed

Unlike crude malware, these extensions showed no obvious malicious behaviour. There were no pop-ups, no crashes, and no visible performance issues. That subtlety is precisely what made them effective.

In hindsight, there were small red flags. The publisher details were vague, update histories were sparse, and support links led to generic or inactive pages. For most users, these details are easy to overlook when an extension appears to work as promised.

Steps users should take immediately

If you use AI-related browser extensions, especially those that interact directly with ChatGPT or similar tools, now is the time for a careful review. Removing untrusted extensions can dramatically reduce exposure.

1. Audit installed extensions and remove anything you no longer recognise or actively use.
2. Check extension permissions and be wary of tools that request access to all websites or page content.
3. Assume exposed prompts are compromised and rotate any credentials or secrets that may have been pasted into AI tools.
4. Limit AI use for sensitive data unless you fully trust the tool and environment.

Implications for enterprises and developers

For organisations, this incident reinforces the need to treat browser extensions as software assets, not harmless add-ons. Many corporate environments lack visibility into what extensions employees install, creating blind spots that attackers are eager to exploit.

Security teams should consider extension allowlists, browser management policies, and user education focused on AI tool risks. Developers, meanwhile, face the challenge of protecting their brand from malicious clones that can erode trust and expose users to harm.

A reminder about trust in the AI supply chain

The fake extension campaign is not just about Chrome or one AI tool. It reflects a broader issue in the AI supply chain, where wrappers, plugins, and integrations multiply faster than security controls can keep up.

As AI becomes more deeply woven into everyday work, attackers will continue to follow the attention. Vigilance at the browser level may feel mundane, but in this case, it was the difference between a helpful assistant and a silent spy.