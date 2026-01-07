Researchers warn of rising “prompt poaching,” where malicious extensions steal AI chatbot conversations

Two spoofed Chrome add-ons with ~900K users exfiltrated prompts and tab data every 30 minutes to C2 servers

Similar cases (e.g., Urban VPN Proxy) show even highly rated extensions on official stores can harvest chats, credentials, and payment data

A new malicious practice has emerged called “Prompt poaching” - where extensions, add-ons, and other apps, eavesdrop on people’s conversations with AI chatbots and exfiltrate their prompts for various purposes.

This is growing increasingly popular, as researchers find more extensions with hundreds of thousands of users.

Researchers from OX Security recently found two Chrome extensions, with more than 900,000 users, cumulatively. They are called “Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI”, and “AI Sidebar with Deepseek, ChatGPT, Claude, and more”.

An increase in malicious extensions

Apparently, these two are spoofing a legitimate browser add-on called “Chat with all AI models (Gemini, Claude, DeepSeek…) & AI Agents” from AITOPIA, which has roughly a million users. The only difference is that these two are hiding the fact that they’re grabbing people’s prompts behind “improvements to the sidebar experience.”

The extensions "were found exfiltrating user conversations and all Chrome tab URLs to a remote C2 server every 30 minutes," OX Security said in its writeup. "The malware adds malicious capabilities by requesting consent for 'anonymous, non-identifiable analytics data' while actually exfiltrating complete conversation content from ChatGPT and DeepSeek sessions."

Indeed, when installed, the extensions ask the users for permissions to collect anonymized browser behavior, and if the users accept, the extensions start harvesting information about open browser tabs and prompts.

We’re seeing more and more of these malicious extensions in recent times. In mid-December 2025, researchers discovered that Urban VPN Proxy, a tool with more than six million installations and a 4.7/5 rating on the Google Chrome Web Store, was harvesting AI chats. Numerous other extensions were seen stealing login credentials, or payment data, and some were even sending screenshots of infected devices to the attackers.

What makes the practice particularly worrisome is the fact that most of these extensions were found on reputable browser stores.

