Malicious AI Browser Extensions Steal LLM Chats

Introduction: Why this matters

AI assistant browser extensions are becoming common “productivity” add-ons for knowledge workers, especially for quick access to tools like ChatGPT and DeepSeek. Microsoft Defender’s investigation shows how this convenience can become an enterprise data-loss channel: a look-alike extension installed from a trusted marketplace can continuously collect and exfiltrate sensitive prompts, responses, and internal URLs without behaving like traditional malware.

What’s new / key findings

Microsoft Defender investigated malicious Chromium extensions that:

• Impersonate legitimate AI assistant extensions using familiar branding and permission prompts (Defender notes imitation of well-known tools such as AITOPIA).
• Collect LLM chat content and browsing telemetry, including:
  • Full visited URLs (including internal sites)
  • Chat snippets (prompts and responses) from platforms such as ChatGPT and DeepSeek
  • Model identifiers, navigation context, and a persistent UUID
• Persist like normal extensions (auto-reloading on browser start, storing telemetry in local extension storage).
• Exfiltrate data periodically via HTTPS POST, which can resemble routine web traffic.

Defender reporting indicates the extensions reached ~900,000 installs, with Defender telemetry confirming activity across 20,000+ enterprise tenants.

How the attack works (high level)

• Delivery: Published in the Chrome Web Store with AI-themed descriptions. Because Microsoft Edge supports Chrome Web Store extensions, the same listing enables cross-browser reach.
• Exploitation of trust & permissions: Broad Chromium extension permissions allowed observation of page content and browsing activity. A misleading consent mechanism was used, and updates could re-enable telemetry by default even after users opted out.
• Command and control: Periodic uploads to attacker-controlled domains such as deepaichats[.]com and chatsaigpt[.]com, clearing local buffers after transmission to reduce artifacts.

Impact on IT administrators and end users

• Data leakage risk: Prompts often include proprietary code, internal processes, strategy discussions, credentials copied into chats, and other confidential content. Exfiltration of full URLs can reveal internal application structure and sensitive query strings.
• Compliance and privacy exposure: Captured chat history can contain regulated or personal data, complicating retention, eDiscovery, and data residency obligations.
• Extension risk becomes “always on”: Unlike a one-time phishing event, a malicious extension can create continuous visibility into user activity across sessions.

Recommended actions / next steps

1. Hunt and block known exfiltration endpoints by monitoring outbound HTTPS POST traffic and applying network controls for:
   • *.chatsaigpt.com
   • *.deepaichats.com
   • *.chataigpt.pro
   • *.chatgptsidebar.pro
2. Inventory and audit browser extensions across managed endpoints, focusing on AI/sidebar tools with broad site permissions.
3. Tighten extension governance:
   • Use allowlisting for approved extensions
   • Restrict installation sources where possible
   • Review update behaviors and permissions drift
4. Use Microsoft Defender Vulnerability Management to run Browser extensions assessment, identify risky extensions, and prioritize remediation.
5. Educate users: treat AI chats like sensitive communications—avoid pasting secrets, tokens, or proprietary content unless the tool and access path are explicitly approved.