The new attack surface for browser extensions
In late 2025, researchers at OX Security identified two Chrome browser extensions that had accumulated over 900,000 installations while quietly exfiltrating user data to attacker-controlled infrastructure. Both extensions impersonated a legitimate AI sidebar product called AITOPIA, a tool that lets users interact with large language models like ChatGPT and DeepSeek from within the browser. The malicious versions functioned as advertised, which is part of what made detection difficult.
The mechanism was not sophisticated in the traditional sense. The extensions requested permission to read all website content, which is a broad but common extension permission, and used Chrome's tab monitoring API to detect when a user navigated to ChatGPT or DeepSeek. When they did, the extension scraped the conversation content from the page, staged it locally, and transmitted it to a remote command-and-control server in batches every 30 minutes. The extensions also collected all open tab URLs, search queries, and URL parameters that could contain session tokens and authentication data.
One of the two extensions had been granted Google's "Featured" badge, a trust signal that appears to have increased both its discoverability and the confidence users placed in it. Its privacy policy stated that no personal information was collected and that all data remained local. Neither statement was accurate.
The data exfiltrated across 900,000 users included complete AI conversation histories. For individual users, that might mean personal queries, medical questions, or financial discussions. For employees using AI tools in a work context, and the research suggests a significant portion did, it means source code, client briefs, legal advice, business strategy, and whatever else was fed into ChatGPT or DeepSeek during the course of work. Reco.ai, writing about the incident from a SaaS security perspective, characterised browser extensions as a security blind spot that traditional enterprise controls do not adequately address, and they are right.
Why extensions evade normal governance
The enterprise software stack in most Australian organisations has reasonably mature procurement and access governance for the tools it can see. OAuth integrations go through IT review. Service accounts are provisioned with defined scopes. New SaaS applications require at least informal sign-off before connecting to corporate identity providers.
Browser extensions exist in a different category. They are installed directly by end users, often without any approval process, and they operate with permissions granted at installation that persist indefinitely. They are not OAuth applications requesting defined scopes from a specific API; they are code running inside the browser process itself, with access to everything the browser can see. That includes authenticated sessions, clipboard content, form data, and the full content of any page the user visits.
The ShadyPanda campaign, which ran undetected for approximately seven years and compromised 4.3 million users, is an earlier illustration of the same structural problem. Urban VPN Proxy, with six million users, is another. These are not isolated incidents that resulted from unique vulnerabilities; they are a consistent pattern of exploitation in a category of software that organisations have not learned to treat with the same discipline applied to other enterprise tooling.
The AITOPIA impersonation in the OX Security research adds a supply chain dimension. The malicious extensions were not obviously fake. They reproduced the legitimate product's functionality, used similar branding, and appeared in the Chrome Web Store alongside the genuine article. Users who searched for an AI sidebar tool and installed what looked like a well-reviewed, featured option had no practical means of identifying the threat without examining the extension's network traffic. Endpoint detection and response tools are poorly positioned to do that for browser extension activity.
The AI conversation as a data class
The specific targeting of AI conversations in this campaign is worth sitting with. It is not a coincidence. AI tools have rapidly become a primary interface through which employees interact with sensitive information: drafting communications, summarising documents, developing code, and thinking through complex problems. The conversations stored in ChatGPT or processed through a browser-based AI sidebar are a high-density record of what an employee was working on, what they were uncertain about, and what information they fed into the process.
This is different from stealing a database of credentials or a CRM export. Those are structured, bounded datasets. An AI conversation history is contextually rich: it contains the question and the framing of the question, the document excerpts pasted in for summarisation, the draft contracts sent for improvement, the client matters discussed as background. For professional services firms, legal practices, financial advisers, and healthcare providers, that category of information carries significant regulatory weight in addition to its intelligence value to an adversary.
The research from OX Security noted that threat actors can now use automated tooling and LLMs themselves to process exfiltrated conversation data at scale, identifying high-value targets, extracting credentials or API keys mentioned in passing, and surfacing confidential material that would have required manual review to locate previously. The volume problem that might once have made mass conversation exfiltration impractical no longer applies.
What a browser extension audit covers
Treating browser extensions with the same governance discipline applied to OAuth integrations and SaaS applications requires tooling and process that most organisations do not currently have in place; it is not, however, a novel problem to solve.
At the inventory layer, the starting point is knowing what extensions are installed across the device fleet. Managed Chrome environments can enumerate extensions via Google Workspace admin console or equivalent MDM tooling. Unmanaged or bring-your-own-device environments require a different approach, but the first step remains the same: establish what is there before assessing what should not be.
At the permission layer, extensions that hold broad permissions, such as read all website content, access to all URLs, or clipboard access, warrant individual review against their stated purpose. An extension that claims to be a grammar checker and holds permissions to read all page content has a plausible reason for that permission. An extension claiming to be a colour picker with the same scope does not.
At the network layer, extensions that establish persistent outbound connections to external infrastructure deserve scrutiny regardless of their stated function. Most productivity extensions do not need to transmit data to remote servers in 30-minute batches. Anomalous outbound traffic from the browser process is a detectable signal, provided endpoint monitoring is configured to look for it.
For AI tools specifically, a category that is growing rapidly, organisations would benefit from defining explicitly which AI platforms are sanctioned for work use, what categories of information employees are permitted to share with them, and whether browser-based AI extensions fall within acceptable use policy. Most organisations have not yet written those policies, which means employees are making individual judgements about what constitutes acceptable AI use without a framework to refer to.
Where Artificer Cyber fits in this picture
The browser extension problem is a governance and visibility problem before it is a technical one. Most organisations that have experienced extension-related data exposure did not lose data because their defences were technically circumvented; they lost it because no one was watching a category of software that had been left entirely to end users.
Artificer Cyber reviews browser extension posture as part of broader AI and SaaS governance assessments, combining technical inventory and permission analysis with Artificer Legal's input on NDB exposure and acceptable use policy design. If your organisation has moved to AI-assisted workflows without revisiting what employees are installing in the browser to support them, that gap is worth closing before an incident makes it visible. Reach out at /#contact.
Is this happening to you right now?
Artificer Cyber deploys within hours. No retainer required — we scope the engagement on first contact and follow strict integration protocols with your legal advisors from the start.