Cybersecurity analysts have uncovered two newly published Chrome browser extensions that secretly siphon conversations from AI chatbots such as ChatGPT and DeepSeek, along with users’ browsing activity, and transmit the data to attacker-controlled servers.
The extensions, which together have been installed by more than 900,000 users, are:
- Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI (ID: fnmihdojmnkclgjpcoonokmkhjpjechg) with roughly 600,000 users
- AI Sidebar with Deepseek, ChatGPT, Claude, and more (ID: inhcgfpbfdjbjogdfjbclgolkmhnooop) with about 300,000 users
This discovery comes only weeks after the Urban VPN Proxy extension, which had millions of installs across Chrome and Edge, was found monitoring users’ AI chatbot interactions. Secure Annex has given this growing tactic a name: Prompt Poaching, a technique that quietly captures and exports AI prompts and responses through browser extensions.
According to OX Security researcher Moshe Siman Tov Bustan, both extensions were observed sending complete chatbot conversations and all open Chrome tab URLs to a remote command-and-control server every 30 minutes. While users were told the data collection was limited to “anonymous, non-identifiable analytics,” the extensions were actually extracting full conversation content from ChatGPT and DeepSeek sessions.
Investigators also found that the malicious add-ons were designed to mimic a legitimate extension called “Chat with all AI models (Gemini, Claude, DeepSeek…) & AI Agents” from AITOPIA, which has around one million users. As of publication, the fake extensions remain available on the Chrome Web Store, although one has lost its “Featured” badge.
Once installed, the extensions request permission to collect anonymized browsing behavior under the guise of improving the sidebar experience. If approved, the hidden malware activates, gathering data from open browser tabs and scraping chatbot messages directly from webpage elements. The captured information is temporarily stored locally before being sent to external servers such as chatsaigpt[.]com and deepaichats[.]com.
Threat actors were also seen using an AI-powered web development platform called Lovable to host privacy policies and related infrastructure on domains like chataigpt[.]pro and chatgptsidebar[.]pro, likely to make the operation appear legitimate and avoid detection.
The risks associated with these extensions are significant. Stolen data may include sensitive prompts shared with AI tools, search activity, and internal corporate URLs. OX Security warned that this information could be exploited for corporate espionage, identity theft, targeted phishing attacks, or sold on underground markets. Organizations whose employees installed the extensions may have unknowingly exposed intellectual property, customer records, or confidential business data.
Legitimate Extensions Also Implicated
In a related development, Secure Annex reported that some widely used, legitimate browser extensions have also engaged in prompt poaching. These include Similarweb and Sensor Tower’s Stayfocusd, which have approximately one million and 600,000 users, respectively.
Similarweb reportedly added AI conversation monitoring in May 2025. A January 1, 2026 update introduced a clearer terms-of-service notice stating that data entered into AI tools may be collected to support traffic and engagement analysis. A subsequent privacy policy update dated December 30, 2025 explicitly confirms that prompts, uploaded files, AI outputs, and related metadata may be processed.
While the company claims it does not intentionally collect personal data and attempts to filter identifying information, it acknowledges that sensitive data may still be captured in the process.
Further technical analysis shows that Similarweb collects AI conversation data using DOM scraping techniques or by intercepting browser APIs such as fetch() and XMLHttpRequest(). This behavior mirrors methods previously observed in Urban VPN Proxy and supports multiple AI platforms, including ChatGPT, Claude, Google Gemini, and Perplexity.
Secure Annex researcher John Tuckner noted that this behavior is present in both Chrome and Edge versions of the Similarweb extension, while the Firefox version has not been updated since 2019.
Tuckner warned that prompt poaching is likely just beginning. As companies realize the commercial value of AI conversation data, more extension developers may adopt similar tactics, raising questions about whether dynamically loading code and collecting AI prompts violates browser extension policies.
What Users Should Do
Users who have installed these extensions and are concerned about privacy should remove them immediately and carefully review permissions granted to any browser add-ons. Installing extensions only from trusted developers and limiting the use of unnecessary plugins can significantly reduce exposure, even when an extension carries a “Featured” label.