Malicious Chrome add-ons expose AI chats for 900,000 users

Researchers at OX Security said the add-ons were designed to blend into everyday browsing by offering productivity features while covertly extracting content from web pages where users interacted with AI services, including ChatGPT and DeepSeek. The firm estimates that as many as 900,000 users installed the extensions before they were removed, exposing chat histories that can contain business plans, source code, legal questions and personal details.

The extensions operated by injecting scripts into browser sessions, a capability granted by Chrome’s permissions system that allows add-ons to read and modify page content. Once installed, the malicious code monitored visits to AI chat pages, copied the text of prompts and responses, and transmitted that data to remote servers controlled by the operators. Because the process ran in the background, victims received no alerts and often assumed the extensions were functioning as advertised.

Security analysts said the attack exploited a growing dependency on browser extensions as users integrate AI tools into daily work. Chat interfaces are increasingly used for drafting contracts, analysing data and troubleshooting software, turning them into high-value targets. The exposure is amplified when conversations include confidential corporate information or regulated personal data.

The disclosure prompted action by Google Chrome’s extension marketplace, which removed the identified add-ons and disabled them on affected devices. Google said it is continuing to strengthen automated and manual reviews, but acknowledged that malicious developers can evade checks by shipping clean versions initially and activating harmful functions later through updates.

Investigators traced the extensions to a coordinated operation that reused code components and command-and-control infrastructure across multiple listings. Some add-ons masqueraded as tools for screenshot capture, theme customisation or ad blocking, attracting users with high ratings that were either fabricated or earned before the malicious payload was activated. Once the user base reached scale, the data siphoning began.

AI chat privacy breached through rogue extensions was how one analyst summarised the impact, noting that the incident underscores a blind spot in how users assess browser add-ons compared with standalone applications. Unlike mobile apps, extensions often request broad permissions that users approve quickly to access a single feature, granting attackers sweeping visibility into browsing activity.

OX Security said its analysis showed that the stolen data was structured and searchable, suggesting intent to monetise insights rather than indiscriminate harvesting. Potential uses include training competing models, profiling organisations for targeted attacks, or selling sensitive information in underground markets. While there is no public evidence of secondary breaches tied directly to the incident, experts warn that the long shelf life of chat logs increases future risk.

Developers of AI platforms have moved to limit exposure by tightening content-security policies and isolating chat interfaces from third-party scripts. Some are exploring browser-level protections that restrict extensions from accessing specific domains by default, forcing users to make explicit choices. Enterprise customers are also being advised to disable extensions entirely on work profiles or use managed browsers with approved add-on lists.

The episode has renewed scrutiny of the Chrome extension ecosystem, which hosts more than 100,000 listings. Industry groups argue that the scale makes perfect policing impossible and are calling for clearer labelling of permissions, shorter review cycles for updates, and stronger penalties for abuse. Privacy advocates want default settings that block extensions from reading content on sensitive sites such as email, banking and AI tools unless users opt in.