The Prompt Poachers: 900,000 Users Exposed as Malicious AI Extensions Siphon ChatGPT and DeepSeek Chats

Artificial intelligence extensions have seamlessly woven themselves into the fabric of everyday browser utility. Multitudes of users routinely summon the sidebar, interrogating chatbots and injecting proprietary corporate documents or intricate code snippets into the dialogue. Malefactors have adroitly preyed upon this very habit. Camouflaged as benevolent aides for interacting with neural networks, malignant add-ons proliferated throughout extension marketplaces, clandestinely harvesting users’ chatbot correspondences and comprehensive browsing histories.

Cybersecurity sentinels within the Microsoft Defender division unearthed a constellation of venomous extensions targeting Chromium-based browsers. These insidious add-ons flawlessly masqueraded as artificial intelligence productivity tools and were disseminated directly through the official Chrome Web Store. According to Microsoft’s calculus, these extensions amassed a staggering 900,000 installations. Telemetry further illuminated the infiltration of over 20,000 corporate entities, where personnel routinely engage with chatbots and unwittingly feed highly classified intelligence into the conversational interface.

Upon successful installation, these extensions commenced the voracious extraction of complete URLs from visited web pages alongside the intimate contents of chatbot dialogues. This explicitly encompasses interactions with prominent services such as ChatGPT and DeepSeek. Consequently, the assailants were empowered to siphon proprietary source code, internal operational directives, sensitive corporate deliberations, and a myriad of other closely guarded corporate secrets.

The architecture of this assault was predicated entirely upon the implicit trust users bestow upon productivity-enhancing instruments. The orchestrators meticulously analyzed ubiquitous neural network extensions, such as AITOPIA, flawlessly replicating their familiar aesthetic, descriptive prose, and permission solicitations. Ultimately, these malignant add-ons achieved a perfect masquerade, indistinguishable from pedestrian artificial intelligence assistants.

These extensions operated seamlessly within the Google Chrome and Microsoft Edge environments. Following deployment, the add-on initiated a clandestine, background surveillance of the user’s digital footprint. The architecture methodically chronicled web addresses and fragments of correspondence generated during chatbot interactions. This harvested telemetry was transiently cached upon the host machine before being systematically exfiltrated to remote command servers.

The add-on ruthlessly exploited the browser’s standardized permission paradigm. Post-installation, the extension commanded unfettered access to page contents, enabling it to surveil user activity without prompting auxiliary authorization requests. Furthermore, the consent mechanism was masterfully deceptive. While a user retained the illusion of disabling data collection, any subsequent update to the extension would autonomously resurrect the telemetry exfiltration protocols.

To secure their foothold within the system, the malefactors eschewed Byzantine methodologies. The extension simply lay dormant within the browser, autonomously invoking itself upon every launch of the application. Such behavior flawlessly mimicked the benign operational cadence of any standard installed add-on.

Data transmission was orchestrated via pedestrian HTTPS requests. The extension funneled its purloined intelligence to the domains deepaichats[.]com and chatsaigpt[.]com. This traffic impeccably masqueraded as routine web activity, rendering the detection of this hemorrhage profoundly arduous. Following exfiltration, the data was scrupulously purged from the local cache, significantly confounding any subsequent forensic analysis.

The malignant extension meticulously recorded nearly every traversed web page alongside fragmentary missives extracted from neural network dialogues. This intelligence was archived in JSON format and subsequently obfuscated using Base64 encoding. Nestled within this harvested trove were complete web addresses—explicitly encompassing internal corporate sanctuaries—snippets of correspondence, the nomenclatures of the invoked AI models, and the unique identifier of the subjugated user.

This insidious stratagem effectively transmuted a rudimentary browser extension into a perpetual engine for data harvesting. The user blithely continued their digital endeavors with familiar instruments, entirely oblivious to the reality that their intimate chatbot correspondences and complete browsing chronicles were being systematically funneled to third-party servers.

Microsoft vehemently counsels enterprises to rigorously audit the extensions deployed across their employees’ browsers and to vigilantly monitor network conduits for connections to anomalous domains. It is further recommended to strictly circumscribe the installation of auxiliary add-ons and to exercise profound skepticism toward instruments promising frictionless integration with artificial intelligence. Even a seemingly pedestrian extension procured from an official marketplace can harbor the potential for catastrophic data hemorrhaging.