DomainGuard

Malicious AI Chrome Extensions (Prompt Poaching)

Fraud operators distribute malicious browser extensions disguised as AI sidebar tools to perform DOM scraping on ChatGPT and DeepSeek, exfiltrating sensitive prompts, responses, and session data.

Screenshot of the deceptive Chrome Web Store listing for the malicious AI extension, showing the 'Featured' badge used to build false trust.
Screenshot of the deceptive Chrome Web Store listing for the malicious AI extension, showing the 'Featured' badge used to build false trust.
First Seen
2025
Status
Active in the wild
Chrome Extension Prompt Poaching DOM Scraping ChatGPT Data Exfiltration Credential Theft 5 min read

What it is

“Prompt Poaching” is a data theft technique executed by malicious browser extensions disguised as helpful AI productivity tools. In late 2025 and early 2026, a massive campaign distributed extensions impersonating legitimate services like AITOPIA, presenting themselves as “AI Sidebars” or unified interfaces for ChatGPT, Claude, and DeepSeek.

These extensions successfully gained over 900,000 installations, with some even earning a “Featured” badge on the Chrome Web Store. Once installed, they abuse broad browser permissions to monitor the user’s active tabs and silently scrape sensitive data from AI chatbot interfaces.

How it works

  1. Deceptive Installation and Permissions. The user installs the extension from the Web Store. During setup, the extension requests permission to “Read and change all your data on the websites you visit,” often burying this broad access under a fake privacy policy hosted on platforms like Lovable.dev, claiming to only collect “anonymous, non-identifiable analytics.”
  2. Targeted DOM Scraping. The malware actively monitors the browser’s active tabs. When the user navigates to specific high-value targets like chatgpt.com or deepseek.com, the extension injects JavaScript to perform DOM (Document Object Model) scraping.
  3. Data Harvesting. The injected script reads the text directly from the chat window in real time. It captures both the user’s prompts (which may contain proprietary code, internal strategies, or PII) and the AI’s responses.
  4. Exfiltration. Approximately every 30 minutes, the harvested data is Base64-encoded. The extension packages the chat logs, session tokens (enabling account takeover), and a list of all currently open tab URLs (revealing internal corporate structures or intranet applications).
  5. C2 Communication. This payload is exfiltrated via background requests to attacker-controlled command-and-control (C2) domains, such as chatsaigpt[.]com or deepaichats[.]com.
  6. Persistence. The threat actors use overlapping extension networks. If a user uninstalls one malicious extension, a redirect may trigger, prompting them to install a “backup” or “updated” version of the same malware under a different name.

Why it still works

  • The Illusion of Utility. Fraud operators love “helpful” tooling. A sidebar that promises to combine GPT-5, Claude, and DeepSeek into one window provides immense perceived value, encouraging users to ignore permission warnings.
  • Trust in Badges. The presence of a “Featured” badge on the Chrome Web Store provides a false sense of security, bypassing the user’s natural skepticism.
  • Browser-Level Visibility. If an extension can read the page, it can read the chats. This technique scales effortlessly because the browser naturally decrypts TLS traffic to render the page, allowing the extension to steal the data post-decryption.

Signals to watch for

  • Overly Broad Permissions. Extensions requesting “Read and change all your data” when their advertised functionality only requires access to a specific site or sidebar.
  • Outbound Traffic to Lookalike Domains. Network telemetry showing regular outbound connections to domains mimicking AI brands (e.g., chatsaigpt[.]com) from the browser process, especially if the user is not actively interacting with the extension.
  • Unexpected Redirects. Users experiencing automated redirects to the Chrome Web Store after uninstalling an extension.
  • Session Token Anomalies. Unexplained session hijacking or access to AI accounts originating from IP addresses that do not match the user’s typical location.

Why it appears here

Prompt Poaching turns user trust into persistent telemetry. As organizations increasingly rely on LLMs for development and strategy, the chat window has become one of the most sensitive surfaces on the endpoint. We track these malicious extensions because they bypass network security controls by operating directly within the browser, demonstrating why strict, “deny-by-default” extension policies are necessary for corporate environments.

Indicators of compromise

Command and Control (C2) Domains

  • chatsaigpt[.]com
  • deepaichats[.]com

Known Malicious Extension IDs

  • fnmihdojmnkclgjpcoonokmkhjpjechg (“Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI”)
  • inhcgfpbfdjbjogdfjbclgolkmhnooop (“AI Sidebar with Deepseek, ChatGPT, Claude, and more”)

Further reading

All Threats