Executive Summary
In late 2025, the "Urban VPN Proxy" Chrome extension—prominently labeled 'Featured' in the Chrome Web Store and boasting over six million users—was discovered silently harvesting all prompts users entered into popular AI chatbots such as ChatGPT, Anthropic Claude, Microsoft Copilot, Google Gemini, and others. Security researchers found the extension covertly intercepted and exfiltrated sensitive data in real time, leveraging its widespread user base and the inherent trust of its browser privileges. The extension’s activity amounted to a massive privacy breach, putting both individuals and enterprises at risk of data exposure.
This breach highlights a surge in supply chain and third-party risks posed by browser extensions in the modern SaaS ecosystem. Enterprise security teams face heightened challenges as unregulated extensions become vectors for data harvesting, especially as reliance on AI tools increases. Privacy expectations, compliance obligations, and trust in official app marketplaces are now under renewed scrutiny.
Why This Matters Now
AI-driven productivity tools are becoming integral in both personal and business communication, but unvetted browser extensions can now covertly intercept and exfiltrate sensitive information on a massive scale. This exposes new blind spots in security and compliance, raising urgent concerns about trust and the vetting of widely adopted browser add-ons.
Attack Path Analysis
Attackers leveraged a trusted Chrome extension to gain initial access to browser sessions and user AI chat interactions. Once the extension was installed, it covertly accessed and harvested user input data, operating under the same privilege as the browser session. Although true privilege escalation within cloud environments was not needed, the extension misused granted permissions to maintain wide access. The extension transmitted harvested AI chat prompts to adversary-controlled infrastructure, establishing steady command and control via outbound traffic. Sensitive chat data was exfiltrated from millions of users to external servers. The adversary achieved significant privacy impact through mass unauthorized collection of user prompts, risking further downstream misuse or exposure.
Kill Chain Progression
Initial Compromise
Description
Users installed a malicious Chrome extension with high trust marks, allowing attackers to gain access to browser sessions and active AI chatbot inputs.
MITRE ATT&CK® Techniques
Mapping covers primary browser extension data interception and exfiltration TTPs observed; suitable for initial enrichment and filtering, with full STIX/TAXII support to follow.
Browser Session Hijacking
Steal Web Session Cookie
Container Administration Command
User Execution
Automated Collection
Input Capture: Web Portal Capture
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Sensitive Authentication Data Protection
Control ID: 3.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Regulation 2022/2554) – ICT Risk Management
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Monitor and Restrict Data Flows
Control ID: Data Pillar: Visibility and Analytics
NIS2 Directive – Risk Analysis and Information System Security
Control ID: Article 21(2)c
GDPR – Integrity and Confidentiality Principle
Control ID: Article 5(1)(f)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Chrome extension data harvesting threatens proprietary AI interactions, requiring enhanced egress security and zero trust segmentation for developer communications.
Financial Services
AI chatbot prompt interception exposes sensitive financial data queries, violating PCI compliance and requiring multicloud visibility controls.
Health Care / Life Sciences
Patient data queries to AI systems compromised through browser extensions, breaching HIPAA requirements for encrypted traffic protection.
Legal Services
Attorney-client privileged communications via AI platforms intercepted, demanding threat detection systems and secure hybrid connectivity solutions.
Sources
- Featured Chrome Browser Extension Caught Intercepting Millions of Users' AI Chatshttps://thehackernews.com/2025/12/featured-chrome-browser-extension.htmlVerified
- This new malware campaign is stealing chat logs via Chrome extensionshttps://www.techradar.com/pro/security/this-new-malware-campaign-is-stealing-chat-logs-via-chrome-extensionsVerified
- This Google Chrome extension has been silently stealing every AI prompt its users enterhttps://www.techaimag.com/global-ai-news/this-google-chrome-extension-has-been-silently-stealing-every-ai-prompt-its-users-enterVerified
- VPN extension for Chrome intercepts users’ AI requestshttps://hackmag.com/news/ai-urban-vpnVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework (CNSF) controls such as egress policy enforcement, segmentation, and multicloud visibility would have significantly constrained or detected the extension’s ability to exfiltrate sensitive user data. Applying workload segmentation, encrypted traffic monitoring, and strict egress policies would have blocked unauthorized data flows and alerted operators to abnormal outbound activity.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of suspicious extension behaviors or anomalous browser activity.
Control: Zero Trust Segmentation
Mitigation: Limits lateral data access even within trusted SaaS or browser sessions.
Control: East-West Traffic Security
Mitigation: Restricts movement and data access between SaaS applications and internal browser processes.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to unknown or high-risk locations are detected and blocked.
Control: Cloud Firewall (ACF)
Mitigation: Prevents exfiltration by blocking suspect or unrecognized destinations.
Enables rapid incident response and containment across SaaS and multi-cloud environments.
Impact at a Glance
Affected Business Functions
- Data Privacy Compliance
- User Trust Management
- Legal and Regulatory Affairs
Estimated downtime: N/A
Estimated loss: $500,000
The unauthorized collection of AI chatbot interactions by the Urban VPN Proxy extension potentially exposed sensitive user data, including personal, financial, and confidential business information. This breach could lead to regulatory penalties, loss of customer trust, and legal liabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Establish and enforce strict egress filtering and FQDN policy controls to block unauthorized outbound connections to untrusted domains.
- • Implement Zero Trust Segmentation and microsegmentation around user browser processes and SaaS applications to prevent unauthorized lateral access to sensitive data.
- • Enable continuous Threat Detection & Anomaly Response to rapidly identify abnormal SaaS or browser extension behaviors.
- • Leverage Cloud Firewall capabilities for real-time inspection, application filtering, and granular outbound traffic control.
- • Centralize multicloud visibility and security policy enforcement to rapidly detect, investigate, and contain suspicious exfiltration or shadow AI risks.
