A wave of counterfeit AI-powered browser extensions has silently breached over 20,000 enterprise environments, compromising the chat histories of employees who routinely used AI tools for work.
These malicious Chromium-based extensions disguised themselves as legitimate AI assistant tools and accumulated close to 900,000 installs before the threat was surfaced.
What made these extensions particularly alarming was their ability to pass as genuine productivity tools while quietly harvesting sensitive data in the background.
The extensions specifically targeted users of popular AI platforms like ChatGPT and DeepSeek, pulling full conversation histories, visited URLs, and browsing telemetry directly from active browser sessions.
Corporate employees who routinely used these platforms often shared internal code, strategic plans, and proprietary workflows — all of which were quietly captured and staged for transmission to attacker-controlled servers.
The sheer scope of compromised data turned what looked like a helpful sidebar tool into a long-running data collection operation inside enterprise networks.
Microsoft Defender analysts identified the campaign after telemetry data flagged unusual outbound connections tied to installed browser extensions across enterprise tenants.
Researchers noted that the threat actors had carefully studied legitimate extensions, including a widely used tool called AITOPIA, and replicated its branding, permission prompts, and user interface elements.
This deliberate mimicry made the malicious extensions almost indistinguishable from genuine tools, allowing them to pass through standard vetting checks without raising obvious red flags.
The extensions were distributed through the Chrome Web Store, taking advantage of its reputation as a trusted source of browser add-ons.
Since the Microsoft Edge also supports Chromium-based extensions from the same store, a single malicious listing could reach users on both browsers at once.
In some instances, agentic browsers automatically downloaded these extensions without waiting for user confirmation, further expanding the reach of the campaign.
This distribution approach required minimal effort from the attackers while maximizing exposure across personal and corporate environments.
The collected data covered everything from internal application URLs and AI chat transcripts to model names and persistent session identifiers, giving the attackers a continuously updated picture of what employees were working on.
This persistent access meant that even employees who thought they had opted out of data sharing were unknowingly contributing to the collection after each extension update.
Infection Mechanism and Stealthy Exfiltration
Once installed, the extension activated a background script that began logging visited URLs and AI chat content without requiring any further action from the user.
The Chromium permission model gave it access to virtually every page opened in the browser, including internal corporate sites and AI chat sessions.
Data was held locally in Base64-encoded JSON format and transmitted at scheduled intervals rather than continuously, a deliberate design choice that helped the extension stay below the threshold of typical network monitoring tools.
.webp)
The extension sent collected data over HTTPS POST requests to attacker-controlled domains, chiefly deepaichats[.]com and chatsaigpt[.]com, as observed in Figure 1 and Figure 2.
The traffic was structured to blend in with standard browser web requests, keeping the C2 channel largely invisible to conventional security tools.
.webp)
Once data was successfully transmitted, the extension cleared its local buffers to limit any trace of activity on disk.
Perhaps most troubling was a built-in mechanism that automatically re-enabled data collection after every extension update, overriding consent settings users had previously configured.
Organizations should take immediate steps to assess exposure by auditing all browser extensions installed across their device fleets and removing any with unknown IDs — particularly those flagged in this campaign.
Security teams should monitor outbound POST traffic to the known malicious domains, including *.chatsaigpt.com, *.deepaichats.com, *.chataigpt.pro, and *.chatgptsidebar.pro, to quickly identify all affected devices.
Enforcing extension allowlisting policies through enterprise browser management platforms is one of the most effective ways to stop employees from installing unreviewed add-ons.
Network protection should be enabled to block access to known C2 endpoints, and data security controls should be applied around browser-based AI chat tools to reduce the risk of sensitive information leaving the organization. Finally, employees should be instructed to review their Chrome and Edge extensions, remove anything unfamiliar, and avoid side-loading any productivity tools not approved by IT.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
