Malicious Browser Extensions Hijack Users’ AI Chats in New “Prompt Poaching” Attack
A new wave of malicious browser extensions is quietly harvesting sensitive user interactions with AI tools, now widely recognized as “prompt poaching.”
The expanding presence of AI assistants in everyday browsing has created a significant usability gap. Most users currently interact with AI tools within isolated tabs, often manually copying and pasting content for analysis or summarization purposes.
To bridge this limitation, developers introduced AI-powered browser extensions capable of accessing content across multiple tabs, enabling seamless workflows and real-time assistance.
However, security researchers warn that these extensions are actively monitoring AI conversations and exfiltrating the data to attacker-controlled servers without user awareness.
Despite this convenience, there is a significant cost. By deeply integrating with browser activity, these extensions gain visibility into sensitive user data, including emails, financial information, and confidential documents.
Malicious Browser Extensions
According to security firm Secure Annex, multiple incidents over the past month have highlighted malicious Chrome extensions involved in unauthorized data collection.
These extensions often mimic legitimate tools but contain hidden functionality designed to monitor specific AI-related browser tabs.
Upon detecting an AI interface, the extension captures both user prompts and AI-generated responses. This is typically done through techniques like API interception or Document Object Model (DOM) scraping.
The collected data is then packaged and transmitted to external servers controlled by attackers.
This practice, termed “prompt poaching,” presents serious privacy and security risks, particularly as users increasingly rely on AI tools for both personal and professional tasks.
Many identified malicious extensions are clones of popular, trusted tools. Attackers replicate legitimate extensions and inject malicious code before distributing them via browser marketplaces.
Notable examples include fake versions of AI assistant extensions resembling those developed by AITOPIA. These clones maintain expected functionality while secretly exfiltrating user data. Some identified extensions include:
- Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI (ID: fnmihdojmnkclgjpcoonokmkhjpjechg).
- AI Sidebar with Deepseek, ChatGPT, Claude, and more (ID: inhcgfpbfdjbjogdfjbclgolkmhnooop).
- Talk to ChatGPT (ID: hoinfgbmegalflaolhknkdaajeafpilo).
In other scenarios, legitimate extensions have been retrofitted with malicious capabilities after gaining a substantial user base.
The Urban VPN Proxy extension is a notable case, where threat actors introduced AI conversation harvesting functionality post-deployment, affecting existing users without requiring reinstallation.
Security and Business Risks
Stolen AI conversations can contain highly sensitive corporate data or personally identifiable information (PII).
For organizations, this risk is particularly severe. Employees using compromised extensions may inadvertently expose intellectual property or confidential communications, potentially leading to significant regulatory and financial penalties.
Security experts recommend implementing these proactive measures to mitigate risks associated with AI-enabled browser extensions:
- Restricting installation of unapproved extensions using enterprise browser management tools or Group Policy.
- Preferring official extensions developed by trusted AI vendors or utilizing standalone desktop and mobile applications.
- Carefully reviewing extension permissions and avoiding tools requesting excessive access unrelated to their core functionality.
- Conducting periodic audits of installed extensions and monitoring for unusual network activity or connections to unknown domains.
- Identifying workflow gaps driving users towards unofficial tools and replacing them with sanctioned, secure alternatives.
As AI adoption continues to grow, so does the attack surface. Prompt poaching underscores the need for stricter controls and heightened awareness around browser-based AI integrations, where convenience must be balanced with security.