DEV Community: Manu

Malicious Chrome Extensions Steal AI Chats

Manu — Sat, 03 Jan 2026 01:08:42 +0000

Almost 900,000 people had their private AI conversations silently stolen by fake Chrome extensions that looked like normal AI assistant tools. If you depend on AI for work, research, or coding, this is not just a tech story—it is a direct security and privacy issue.

AI chat security is now a core part of AI productivity tools, especially for professionals in Canada and worldwide who use platforms like ChatGPT, DeepSeek, and Perplexity every day. This guide explains what happened, why it matters, and how to build safer AI workflows using usebetterai.com-style practices.

What Happened in the 900K AI Chat Theft Campaign?

Two malicious Chrome extensions pretended to be legitimate AI assistant tools and quietly stole users’ AI conversations and browsing data. They targeted popular AI platforms, including ChatGPT and DeepSeek, and even appeared trustworthy inside the Chrome Web Store.

The campaign was discovered by OX Security’s research team in late 2025.

The fake extensions mimicked AITOPIA, a real AI sidebar extension, copying its interface and behavior.

Once installed, they scraped AI chats directly from the browser and sent the data to attacker-controlled servers every 30 minutes.

The Featured Extension Problem
One of the malicious extensions carried Google’s “Featured” badge, which usually signals that an extension follows security and UX best practices. This made it look especially safe to non-technical users.

The two identified rogue extensions together had over 900,000 downloads.

OX Security reported them to Google on December 29, 2025, but they remained available at least through December 30.

This shows that even “Featured” or “Recommended” browser extensions cannot be assumed safe when handling sensitive AI content.

How These Malicious AI Extensions Actually Work

To protect yourself, it helps to understand how these extensions steal data under the hood. The techniques used in this campaign are becoming common in AI-related malware.

Step-by-Step: From Install to Exfiltration
Once a user installs one of these malicious extensions, a predictable chain of events follows.

Unique tracking ID created

The extension assigns a unique user ID and starts tracking your browsing sessions.

Monitoring your tabs and URLs

Using Chrome’s tabs APIs, the extension watches when you open ChatGPT, DeepSeek, or other AI tools.

It also collects active tab URLs, exposing your research topics, internal tools, and sometimes query parameters.

Scraping AI conversations from the DOM

When you are on an AI chat page, the extension reads the Document Object Model (DOM) and pulls both your prompts and the AI responses.

This can include confidential project details, source code, clinical notes, or internal company plans.

Encoding and sending the data out

The stolen data is encoded in Base64 and sent to command-and-control servers such as deepaichats[.]com and chatsaigpt[.]com.

Uploads are batched and sent roughly every 30 minutes to hide in normal traffic patterns.

Silent updates keep the attack alive

Extensions can receive automatic updates that add or change malicious behavior without any user approval.

This “sleeper agent” pattern lets a harmless extension turn dangerous months later.

Why AI Conversations Are a Goldmine

For attackers, AI chats are rich, structured data. They can include:

Product roadmaps, business strategies, or customer data.

Source code and internal architecture details from developers.

Clinical summaries or protocol-related notes from research staff (even if de-identified).

The value of these chats makes them a prime target in 2026’s AI cybersecurity landscape.

Not Just One Incident: VPN Extensions, Featured Badges, and 8 Million Logged AI Chats
The 900,000-user campaign is part of a wider pattern: browser extensions marketed as “privacy tools” or “productivity tools” quietly logging AI conversations at scale.

The Free VPN and “Privacy” Extension Problem

In December 2025, Koi Security revealed that several free VPN and privacy-related Chrome and Edge extensions with more than 8 million downloads were capturing AI conversations.

Extensions like Urban VPN Proxy and related tools intercepted conversations from ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and other AI platforms.

JavaScript code embedded in these extensions overrode core browser functions like fetch() and XMLHttpRequest, allowing real-time interception of user inputs and AI responses.

Some of these were also labeled as “Featured” on the browser extension stores.

Users often installed these extensions to increase privacy, but instead their AI conversations were monetized and logged without clear consent.

Enterprise Extension Risk: 99% Usage, 53% High-Risk Permissions
An enterprise browser extension security report in 2025 found:

99% of enterprise users have at least one browser extension installed.

Over half run more than 10 extensions at the same time.

53% of users have at least one extension with “high” or “critical” permission scopes, able to access cookies, passwords, browsing data, and full page contents.

For organizations that embrace AI-powered productivity—from clinical research sites to software teams—this means nearly every employee represents a potential attack vector via browser extensions.

How AI World Models Are Changing Video Games

Manu — Sat, 03 Jan 2026 01:05:04 +0000

AI “world models” are new tools that can build entire 3D game worlds from simple text or images, almost like a game engine on autopilot. Companies such as World Labs and Google DeepMind see this as a way to make game development faster, cheaper, and more creative. At the same time, European game worker unions worry that these tools will be used to cut jobs and worsen working conditions.

What Are AI World Models?

World models are advanced AI systems that simulate 3D environments, including objects, spaces, and how things move and interact. Instead of drawing every tree, building, or room by hand, developers can describe what they want and let the model generate a full scene.

World Labs’ Marble can turn text prompts, photos, videos, or rough 3D layouts into complete, editable 3D worlds.

DeepMind’s Genie 3 can create minutes of real-time, interactive 3D environments at HD resolution from simple prompts, generating one frame at a time while keeping the scene consistent.

These models export assets as meshes or similar formats that can be imported into game engines like Unity or Unreal, instead of trying to replace them completely.

For non-technical people, you can think of this as “Photoshop for worlds” rather than just pictures.

Why Game Studios Are Excited

Large “triple‑A” games now often cost hundreds of millions of dollars and many years of work, which puts extreme pressure on teams. AI world models promise to handle some of the repetitive, time‑consuming work so humans can focus on design and storytelling.

Key benefits studios are hoping for:

Lower costs and faster production

Generating large background environments and ambient spaces automatically could shrink art and level‑design time.

Smaller teams might build bigger worlds that previously required large studios and huge budgets.

More room for creative experiments

DeepMind researchers say game creation is already changing and could be “completely transformed” in the next few years.

A producer who moved from Ubisoft to DeepMind hopes world models will free teams to “discover the fun,” try new ideas, and take more creative risks instead of spending all their time on production grind.

New uses beyond games

World Labs’ Marble is already being pitched for virtual production, visual effects, and VR experiences, not just gaming.

Why Workers and Unions Are Pushing Back

While companies talk about creativity and efficiency, many workers are worried about job security, stress, and how AI will actually be used.

Major concerns include:

Layoffs and weaker job security

European game unions say tens of thousands of industry jobs have disappeared in recent years while AI tools and cost‑cutting spread.

Their joint statement warns that generative AI is being imposed alongside layoffs and strict “return to office” rules, undermining working conditions.

Loss of control over tools and workflow

Unions argue that AI is often introduced without meaningful input from staff, even though it directly affects their daily work and career paths.

They describe this as part of a broader pattern of mismanagement in the games industry, not just a tech issue.

Ethical and quality worries from developers

Surveys like the GDC State of the Industry report show more developers now see generative AI as harmful to the industry, citing IP theft, energy use, and lower‑quality content.

In short, studios see AI as a way to “do more with less,” while many workers fear it will mean “do the same or more with fewer people.”

Malicious Chrome Extensions Steal AI Chats: How to Protect Your Conversations in 2026

Manu — Sat, 03 Jan 2026 01:01:40 +0000

What Happened in the 900K AI Chat Theft Campaign?

The campaign was discovered by OX Security’s research team in late 2025.

The fake extensions mimicked AITOPIA, a real AI sidebar extension, copying its interface and behavior.

Once installed, they scraped AI chats directly from the browser and sent the data to attacker-controlled servers every 30 minutes.

The Featured Extension Problem

One of the malicious extensions carried Google’s “Featured” badge, which usually signals that an extension follows security and UX best practices. This made it look especially safe to non-technical users.

The two identified rogue extensions together had over 900,000 downloads.

OX Security reported them to Google on December 29, 2025, but they remained available at least through December 30.

This shows that even “Featured” or “Recommended” browser extensions cannot be assumed safe when handling sensitive AI content.

How These Malicious AI Extensions Actually Work

To protect yourself, it helps to understand how these extensions steal data under the hood. The techniques used in this campaign are becoming common in AI-related malware.

Step-by-Step: From Install to Exfiltration

Once a user installs one of these malicious extensions, a predictable chain of events follows.

Unique tracking ID created

The extension assigns a unique user ID and starts tracking your browsing sessions.

Monitoring your tabs and URLs

Using Chrome’s tabs APIs, the extension watches when you open ChatGPT, DeepSeek, or other AI tools.

It also collects active tab URLs, exposing your research topics, internal tools, and sometimes query parameters.

Scraping AI conversations from the DOM

When you are on an AI chat page, the extension reads the Document Object Model (DOM) and pulls both your prompts and the AI responses.

This can include confidential project details, source code, clinical notes, or internal company plans.

Encoding and sending the data out

The stolen data is encoded in Base64 and sent to command-and-control servers such as deepaichats[.]com and chatsaigpt[.]com.

Uploads are batched and sent roughly every 30 minutes to hide in normal traffic patterns.

Silent updates keep the attack alive

Extensions can receive automatic updates that add or change malicious behavior without any user approval.

This “sleeper agent” pattern lets a harmless extension turn dangerous months later.

Why AI Conversations Are a Goldmine

For attackers, AI chats are rich, structured data. They can include:

Product roadmaps, business strategies, or customer data.

Source code and internal architecture details from developers.

Clinical summaries or protocol-related notes from research staff (even if de-identified).

The value of these chats makes them a prime target in 2026’s AI cybersecurity landscape.

The Free VPN and “Privacy” Extension Problem

In December 2025, Koi Security revealed that several free VPN and privacy-related Chrome and Edge extensions with more than 8 million downloads were capturing AI conversations.

Extensions like Urban VPN Proxy and related tools intercepted conversations from ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and other AI platforms.

JavaScript code embedded in these extensions overrode core browser functions like fetch() and XMLHttpRequest, allowing real-time interception of user inputs and AI responses.

Some of these were also labeled as “Featured” on the browser extension stores.

Users often installed these extensions to increase privacy, but instead their AI conversations were monetized and logged without clear consent.

Enterprise Extension Risk: 99% Usage, 53% High-Risk Permissions
An enterprise browser extension security report in 2025 found:

99% of enterprise users have at least one browser extension installed.

Over half run more than 10 extensions at the same time.

53% of users have at least one extension with “high” or “critical” permission scopes, able to access cookies, passwords, browsing data, and full page contents.

For organizations that embrace AI-powered productivity—from clinical research sites to software teams—this means nearly every employee represents a potential attack vector via browser extensions.

Why This Matters for Professionals Using AI Every Day

If you are a web developer, clinical researcher, or knowledge worker using AI as a core tool, these attacks are not abstract. They directly affect your work, compliance obligations, and, in some cases, patient or client confidentiality.

High-Risk Use Cases
You are especially at risk if you:

Paste internal code, credentials, or infrastructure details into ChatGPT, DeepSeek, or Perplexity.

Summarize internal SOPs, study protocols, or regulatory documents inside AI tools.

Use AI to draft agreements, HR decisions, or sensitive corporate communications.

When malicious extensions scrape AI conversations, they gain:

Internal naming conventions, URLs, and system structures.

Business strategy and research plans.

Potentially identifiable fragments that, when combined, may violate contracts or regulations.

As AI becomes a core productivity layer in 2026, attackers are following the data.