Threat Insight

Chrome Extension Steal ChatGPT and DeepSeek Conversations

Two malicious Chrome extensions impersonating the legitimate AITOPIA AI sidebar were discovered[1]. They masquerade as tools for ChatGPT, DeepSeek, and Claude but secretly exfiltrate user data, requesting “nameless analytics” consent to mask knowledge theft. Which could include but not limited to theft of ChatGPT and DeepSeek conversations, including proprietary code, corporate strategies, and personal identifiable information (PII).

  • Insight

Full browsing histories exfiltrated, exposing organizational structures, tokens, and internal URLs.

The Chrome extensions involved are “Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI with over 600,000 installs and “AI Sidebar with Deepseek, ChatGPT, Claude and extra” with over 300,000 installs. Which puts the total amount of potentially affected users at over 900,000.

Affected Products

Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI ID: fnmihdojmnkclgjpcoonokmkhjpjechg, model 1.9.6

AI Sidebar with Deepseek, ChatGPT, Claude and extra ID: inhcgfpbfdjbjogdfjbclgolkmhnooop

Truesec strongly recommends checking for the extension ids and uninstalling the extensions immediately. Make sure to update passwords for accounts accessed via ChatGPT, DeepSeek, or any sites visited while extensions were active. And as a precaution, make sure to have multi-factor authentication enabled on critical accounts to mitigate credential theft.

Additionally, if users are compromised, review leaked chat history for sensitive data (e.g., passwords, API tokens) and rotate as needed. Also check for connections to C2 and hosting server domains.

Detection

SHA256:
98d1f151872c27d0abae3887f7d6cb6e4ce29e99ad827cb077e1232bc4a69c00
20ba72e91d7685926c8c1c5b4646616fa9d769e32c1bc4e9f15dddaf3429cea7

Extension ID:

fnmihdojmnkclgjpcoonokmkhjpjechg
inhcgfpbfdjbjogdfjbclgolkmhnooop

C2:
deepaichats[.]com
chatsaigpt[.]com

Hosting Servers:
chataigpt[.]pro
chatgptsidebar[.]pro

References

[1] https://cyberwebspider.com/blog/cyber-security-news/malicious-chrome-extension-steal-chatgpt-and-deepseek-conversations-from-900k-users/

Stay ahead with cyber insights

Newsletter

Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.