Find notable cyber news and cases, enriched with sources, timelines, and signals.

Malicious Chrome Web Store extensions exfiltrating ChatGPT and DeepSeek conversations

Malware Activity
First reported
Last updated
Happening score
H score 51
2 unique sources, 2 articles

Summary

Hide ▲

Malicious Chrome extensions were used to exfiltrate ChatGPT and DeepSeek conversations from active browser sessions, alongside Chrome tab URLs and other browsing context, to attacker-controlled C2 servers. Researchers said the add-ons collected prompts and answers by monitoring tabs and using API interception or DOM scraping, then sent the data out on a recurring schedule. The campaign relied on legitimate-looking listings and impersonated a trusted AITOPIA extension, making the abuse harder to spot. The scale of the issue is significant because the extensions were tied to 900,000+ users and remained available at disclosure time, creating exposure for sensitive prompts, customer data, and internal web activity.

Related Happenings

IPhone AI chatbot traffic leak of API keys, replayable tokens, and open relays

Technical Analysis
H score27 First: 30.06.2026 16:49 Last: 30.06.2026 16:49 Sources 1

About this happening: **LLMKeyLens** testing found **444 iPhone AI chatbot apps** leaking **paid AI access**, exposing **API keys**, **replayable tokens**, and **open relays** that let others bill mode...

Search for perplexity ai malicious Chrome extension

Malware Activity
H score29 First: 29.06.2026 21:40 Last: 29.06.2026 21:40 Sources 1

About this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
H score20 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...

Chrome extension PUP distribution network with fake organic traffic

Malware Activity
H score18 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...

LLMShare ChatGPT share-link malware lure campaign

Campaign
H score47 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...

Timeline

  1. 06.01.2026 19:21 3 articles · 6mo ago

    Malicious Chrome extensions exposed

    Initial Disclosure

    Researchers disclosed two malicious Chrome Web Store extensions, Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI and AI Sidebar with Deepseek, ChatGPT, Claude, and more., that impersonated a legitimate AITOPIA add-on and exfiltrated ChatGPT and DeepSeek conversations plus Chrome tab URLs to attacker-controlled C2 servers every 30 minutes. The extensions were still available for download at the time of disclosure, and one had already been stripped of its Featured badge.

    Show sources