Security researchers have uncovered a sophisticated data-stealing campaign targeting more than 900,000 Chrome users via two malicious browser extensions that impersonate legitimate AI tools and secretly exfiltrate ChatGPT and DeepSeek conversations to attacker-controlled servers.
The discovery, reported by OX Security on December 29, 2025, reveals a coordinated threat operation exploiting user trust in AI productivity tools.
The extensions “Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI” (600,000+ installations) and “AI Sidebar with Deepseek, ChatGPT, Claude and more” (300,000+ installations) masquerade as versions of AITOPIA, a legitimate AI sidebar tool, while embedding malicious data harvesting functionality that remains active despite Google’s review process.
The Attack Mechanism
The malware operates through expansive browser permissions that grant it read access to all website content.
When users interact with ChatGPT or DeepSeek platforms, the extensions capture complete conversation transcripts in real time, including prompts, AI responses, and associated metadata.
The stolen data is initially stored locally before being transmitted to the command-and-control infrastructure at deepaichats[.]com every 30 minutes.
Beyond conversation theft, the extensions monitor all browsing activity and extract complete URLs from open tabs, search queries, and URL parameters potentially compromising session tokens, authentication credentials, and sensitive search history.
This breadth of data collection transforms the compromise into a critical information disclosure incident.
The exfiltrated conversations are particularly damaging. Users often share proprietary source code, confidential business strategies, personally identifiable information, and sensitive corporate communications with AI models, assuming that platform-level security protections are in place.
These extensions bypass such assumptions entirely, enabling direct access to unencrypted conversation content.
The threat actors employ social engineering tactics, requesting user permission for “anonymous, non-identifiable analytics data” while harvesting complete conversation content.
Furthermore, when users uninstall an extension, the alternative automatically opens in a new browser tab, a coordinated mechanism designed to maintain presence across the compromised user base.
To obscure their infrastructure, attackers abuse Lovable, an AI-powered web development platform, to host fake privacy policies and redirection pages, deliberately complicating researcher attribution and takedown efforts.
Notably, despite OX Security’s December 29 report and Google’s acknowledgment of the review, both extensions remained active on the Chrome Web Store as of publication.
The first extension continues to display Google’s “Featured” badge, a seal of apparent legitimacy that likely increased its installation rate.
Organizations face significant exposure. Employee installations of these extensions could result in unauthorized disclosure of intellectual property, customer data, confidential communications, and strategic business information.
Affected users should immediately navigate to chrome://extensions/ to remove both malicious extensions and consider whether sensitive data shared through AI platforms requires mitigation.
Indicators of Compromise
| Extension Name | Extension ID | Version | SHA256 Hash |
|---|---|---|---|
| Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI | fnmihdojmnkclgjpcoonokmkhjpjechg | 1.9.6 | 98d1f151872c27d0abae3887f7d6cb6e4ce29e99ad827cb077e1232bc4a69c00 |
| AI Sidebar with Deepseek, ChatGPT, Claude and more | inhcgfpbfdjbjogdfjbclgolkmhnooop | 1.6.1 | 20ba72e91d7685926c8c1c5b4646616fa9d769e32c1bc4e9f15dddaf3429cea7 |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.