top of page
perceptive_background_267k.jpg

Two Chrome Extensions Caught Stealing ChatGPT and DeepSeek Chats from 900,000 Users

Published:

6 januari 2026 om 17:21:00

Alert date:

6 januari 2026 om 18:02:20

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Data Breach & Exfiltration, Ransomware & Malware

Two malicious Chrome extensions with over 900,000 combined users have been discovered stealing ChatGPT and DeepSeek conversations along with browsing data. The extensions, named 'Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI', exfiltrate user conversations and data to attacker-controlled servers. This represents a significant supply chain attack targeting AI platform users through browser extensions.

Technical details

The malicious extensions exfiltrate user conversations and Chrome tab URLs to remote C2 servers every 30 minutes. They use DOM element scraping to extract chat messages from web pages and store them locally before transmitting to command and control servers. The extensions hijack native browser APIs like fetch() and XMLHttpRequest() to gather conversation data. They load remote configuration files with custom parsing logic for ChatGPT, Anthropic Claude, Google Gemini, and Perplexity. The threat actors use Lovable AI-powered web development platform to host privacy policies and infrastructure components to obfuscate their actions.

Mitigation steps:

Remove the malicious extensions from browsers immediately. Refrain from installing extensions from unknown sources, even if they have the 'Featured' tag. Review browser extension permissions carefully before granting consent. Organizations should audit employee-installed extensions to prevent exposure of intellectual property, customer data, and confidential business information.

Affected products:

Chat GPT for Chrome with GPT-5
Claude Sonnet & DeepSeek AI (Chrome Extension ID: fnmihdojmnkclgjpcoonokmkhjpjechg) - 600
000 users
AI Sidebar with Deepseek
ChatGPT
Claude
and more (Chrome Extension ID: inhcgfpbfdjbjogdfjbclgolkmhnooop) - 300
000 users
Similarweb extension - 1 million users
Stayfocusd extension - 600
000 users
Urban VPN Proxy extension
OpenAI ChatGPT
DeepSeek
Anthropic Claude
Google Gemini
Perplexity

Related links:

https://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-deepseek-conversations/
https://thehackernews.com/2025/12/featured-chrome-browser-extension.html
https://moonlock.com/chrome-extension-spying-ai-chats
https://secureannex.com/blog/prompt-poaching/
https://chromewebstore.google.com/detail/chat-with-all-ai-models-g/becfinhbfclcgokjlobojlnldbfillpf
https://chromewebstore.google.com/detail/similarweb-website-traffi/hoklmmgfnpapgjgcpechhaamimifchmp
https://chromewebstore.google.com/detail/stayfocusd-%E2%80%93-website-bloc/laankejkbhbdhmipfmgcngdelahlfoji
https://www.similarweb.com/corp/legal/extension-privacy-policy/

Related CVE's:

Related threat actors:

IOC's:

chatsaigpt[.]com, deepaichats[.]com, chataigpt[.]pro, chatgptsidebar[.]pro, fnmihdojmnkclgjpcoonokmkhjpjechg, inhcgfpbfdjbjogdfjbclgolkmhnooop

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page