Millions of people now use AI platforms like ChatGPT, Claude, Copilot, Gemini, and DeepSeek every single day, sharing personal thoughts, work documents, and sensitive data without a second thought.
That trust, it turns out, is being quietly exploited. A growing wave of malicious Google Chrome extensions is secretly harvesting those conversations and sending them off to unknown servers, all while pretending to help users get more out of their AI tools.
The scale of this problem is hard to ignore. As of March 2026, AI-related Chrome extensions had already accumulated roughly 115 million users worldwide, according to Chrome Statistics 2026.
That enormous user base makes these extensions an attractive target for threat actors looking to scoop up valuable data with little effort and even less visibility.
Analysts at G Data published a report shared with Cyber Security News (CSN) exposing three specific extensions: Urban VPN, Smart Sidebar: ChatGPT, Claude and DeepSeek, and AI Assistant, now rebranded as Chat AI.
These add-ons carried strong ratings and large user counts on the Chrome Web Store, giving them a false air of credibility while their true behavior lurked beneath the surface.
What makes this campaign dangerous is the type of information being put at risk. Users routinely share deeply personal details, confidential business data, and medical information with AI platforms.
Whoever intercepts these conversations gains access to material that can be weaponized for fraud, blackmail, or corporate espionage with alarming ease.
The method these extensions use is calculated and deliberate. They quietly inject scripts into the browser, intercept outgoing network requests, and siphon off conversation data before it reaches its intended destination. Victims rarely notice because the AI platforms continue to function exactly as expected.
Malicious Browser Add-Ons
Urban VPN is the most widely recognized name in this group. Marketed as a free, privacy-focused tool with a 4.7-star rating, version 5.10.3 contained a hidden JavaScript file called “content.js” that targeted conversations across eight AI platforms, including ChatGPT, Claude, Copilot, Gemini, and DeepSeek.
Data collection ran continuously in the background, regardless of whether the VPN was even switched on.
The extension injected an executor script that intercepted network requests before they left the device, rerouting data through its own code.
Smart Sidebar took a similar approach: in version 1.9.6, it embedded a file called “aiResponder.js” inside a directory labeled “gptprocessor,” monitoring visits to ChatGPT and DeepSeek and capturing each chat interaction as it occurred.
Smart Sidebar’s collected data was encoded in Base64 and sent via a POST request to the domain “deepaichats[.]com,” already flagged by multiple security vendors on VirusTotal.
The encoded payload carried the unique chat ID, the AI platform visited, a timestamp, and the full conversation, forming a complete record of everything the user typed and received.
iFrame Injection and the Chat AI Threat
The third extension, AI Assistant, now called Chat AI, used a different but equally concerning approach. Despite holding a “Featured” badge from the Chrome Web Store and over 70,000 users, version 3.3.4 embedded a remotely loaded chat interface inside a hidden iframe.
It pulled user preferences from browser storage and forwarded that data to a newly registered, unverified external URL through a messaging system.
This iframe injection allowed the extension to sit between the user and the AI platform, quietly observing everything passing through it. Because the interface looked and behaved like a real assistant, users had no reason to suspect anything was wrong.
G Data recommends installing extensions only from trusted, official sources. Applying the Principle of Least Privilege is also key, meaning extensions should only receive the minimum permissions they need for their intended function.
Users should regularly review installed add-ons and remove anything requesting access it does not need. In organizational settings, administrators should enforce group policies that restrict browser extensions from accessing sensitive platforms, including AI tools.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 524C953E23FF8B768206CF33A529C11AC5510E47CBF6246DB79EE671D1231716 | Urban VPN malicious extension hash |
| Extension ID | eppiocemhmnlbhjplcgkofciiegomcon | Urban VPN Chrome Extension ID |
| Detection | Script.Trojan-Stealer.AIStealer.08LJNB | Urban VPN malware detection name |
| SHA256 | C984787CCD787629542DA68302ED4CEB48FC7E458EAB1C15BF45C3070883D26A | Smart Sidebar malicious extension hash |
| Extension ID | fnmihdojmnkclgjpcoonokmkhjpjechg | Smart Sidebar Chrome Extension ID |
| Detection | Script.Trojan-Stealer.AIStealer.8HGRSW | Smart Sidebar malware detection name |
| SHA256 | F8CBE44FDE6914BC8D06426C03C92ED536C891470292E567A586B54AF29C2442 | Chat AI (AI Assistant) malicious extension hash |
| Extension ID | fnmihdojmnkclgjpcoonokmkhjpjechg | Chat AI Chrome Extension ID |
| Detection | Script.Trojan.AiFrame.703FYD | Chat AI malware detection name |
| Domain | deepaichats[.]com | Exfiltration endpoint used by Smart Sidebar |
| URL | hxxps://deepaichats[.]com/ext/aimodel | POST request destination for stolen AI chat data |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
