Fake AI Chrome Extensions Expose Sensitive Data of 900,000 Users
Executive Summary
In January 2026, security researchers disclosed a major data breach in which two malicious Google Chrome extensions, posing as legitimate AI-powered tools for ChatGPT and DeepSeek, surreptitiously harvested sensitive information from over 900,000 users. These fake extensions, mimicking the functionality and branding of a trusted vendor, exfiltrated entire LLM chat conversations, browsing histories, confidential corporate URLs, internal credentials, and other proprietary data to an external command-and-control server. The scope of the incident included the exposure of intellectual property, business strategies, source code, and user credentials, highlighting significant risks for individuals and organizations whose employees utilized these tools in their workflows.
With generative AI increasingly adopted for business and development tasks, this breach is a stark demonstration of the risks posed by third-party browser extensions—particularly those that intercept AI-driven sessions. It underscores the urgent need for stricter vetting controls, robust application security for browser add-ons, and user education in an environment where threat actors leverage AI both as target and tool.
Why This Matters Now
As enterprises rapidly integrate AI-driven tools into daily operations, adversaries are exploiting trust in browser extensions to compromise sensitive business and personal data at scale. This incident reinforces the urgency to assess and secure the AI supply chain, especially as malicious extensions can bypass traditional perimeter defenses and exfiltrate high-value information directly from endpoints.
Attack Path Analysis
Threat actors uploaded fake AI-powered Chrome extensions to the official store, tricking users into installing them (Initial Compromise). The malicious extensions requested excessive permissions, enabling access to sensitive browser data beyond their stated intent (Privilege Escalation). From there, they monitored and collected user activity and potentially interacted with multiple browser sessions, gathering a wide range of information (Lateral Movement). The extensions established communication with remote command-and-control (C2) servers to transmit harvested chat and browser data (Command & Control). Sensitive AI conversation data and browsing histories were clandestinely exfiltrated out of users’ environments (Exfiltration). Finally, the attackers monetized or weaponized the stolen data for espionage, identity theft, or resale (Impact).
Kill Chain Progression
Initial Compromise
Description
Malicious Chrome extensions mimicking legitimate AI tools were uploaded to the Chrome Web Store and installed by unsuspecting users.
MITRE ATT&CK® Techniques
Compromise Software Supply Chain: Compromise Software Dependencies and Development Tools
User Execution: Malicious File
Browser Extensions
Input Capture: Keylogging
Email Collection: Email Forwarding Rule
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Man-in-the-Middle: Adversary-in-the-Middle
System Information Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect Stored Cardholder Data
Control ID: 3.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Manage User Assets
Control ID: Workforce: Asset Management 1.1
NIS2 Directive – Incident Handling Procedures
Control ID: Article 21(2)(d)
GDPR – Security of Processing
Control ID: Article 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Chrome extension infostealer targeting AI conversations exposes proprietary source code, development queries, and intellectual property through prompt poaching attacks.
Financial Services
AI conversation theft reveals financial credentials, business strategies, and client data through malicious Chrome extensions affecting 900K users.
Information Technology/IT
Fake AI extensions compromise cloud account passwords, API keys, and corporate infrastructure data requiring enhanced egress security controls.
Legal Services
Attorney-client privileged communications in AI chats stolen via malicious extensions, exposing confidential legal matters and case strategies.
Sources
- Fake AI Chrome Extensions Steal 900K Users' Datahttps://www.darkreading.com/cloud-security/fake-ai-chrome-extensions-steal-900k-users-dataVerified
- Malicious Chrome Extensions Steal ChatGPT Conversationshttps://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-deepseek-conversations/Verified
- Malicious Chrome extensions with 900,000 users steal AI chatshttps://cyberinsider.com/malicious-chrome-extensions-with-900000-users-steal-ai-chats/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, and strict egress policy enforcement would have limited malicious extension activity by detecting or blocking unauthorized data flows and segmenting browser-related workloads. Egress security, threat detection, and microsegmentation, as outlined in CNSF, provide critical visibility and enforcement to stop data exfiltration and external command channels.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of anomalous extension behavior on enterprise-managed endpoints.
Control: Zero Trust Segmentation
Mitigation: Restricted data access through identity-based segmentation policies.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized internal data aggregation and movement.
Control: Cloud Firewall (ACF)
Mitigation: Real-time detection and blocking of outbound C2 traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Prevention of unauthorized data exfiltration to untrusted external destinations.
Rapid detection and forensics to limit business harm and aid response.
Impact at a Glance
Affected Business Functions
- Research and Development
- Legal
- Marketing
- Human Resources
Estimated downtime: N/A
Estimated loss: $5,000,000
The malicious Chrome extensions exfiltrated sensitive data, including proprietary source code, business strategies, personal identifiable information (PII), confidential research, legal matters, and complete URLs from all Chrome tabs. This data exposure poses significant risks of corporate espionage, identity theft, targeted phishing campaigns, and potential sale on underground forums.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce egress filtering using FQDN/application-layer policies to prevent unauthorized data exfiltration from browsers and endpoints.
- • Apply zero trust network segmentation and least privilege to limit browser and extension access to sensitive enterprise workloads and data.
- • Deploy inline threat detection and anomaly response to quickly identify malicious extension behavior or unauthorized data flows.
- • Implement continuous monitoring and real-time multicloud visibility for rapid detection and response to suspicious browser/workload activities.
- • Regularly audit browser extension policies and educate users on only installing vetted, enterprise-approved extensions.
