Editorial analysis - practitioner significance: Browser extensions that render page content or intercept site traffic are a persistent, underappreciated source of data-exfiltration risk for AI workflows. Prompts and completions often contain sensitive personal and corporate data, so extensions with page-level access can effectively bypass application-layer privacy expectations used in model selection, auditing, and compliance.
What happened
Notebookcheck reports that security researchers at MalExt Sentry disclosed a campaign they named PromptSnatcher on June 13, 2026. The researchers attribute the activity to two browser extensions, Smart Adblocker (extension ID iojpcjjdfhlcbgjnpngcmaojmlokmeii, approximately 80,000 users) and Adblock for Browser (extension ID jcbjcocinigpbgfpnhlpagidbmlngnnn, approximately 10,000 users). Notebookcheck writes that the extensions did block ads using public filter lists while also covertly recording conversations on eight AI platforms, including ChatGPT, Gemini, Claude, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. The report states the captured payload can include up to 10,000 characters of prompts and up to 30,000 characters of responses, plus metadata such as model choice and subscription status, and that collected data was transmitted to developer servers using an internal system researchers refer to as Panel 231.
Observed behaviors: According to Notebookcheck, the extensions concealed data collection behind a consent option labeled "Enhanced Protection" without disclosing that AI chats were being recorded. The report also notes that, while Meta AI was not originally enumerated in the code, remote configuration could enable additional targeting later.
For practitioners: Treat browser extensions with page access as possible exfiltration endpoints when evaluating threat models for prompt engineering, data classification, and live demos. Review extension permissions, isolate sensitive work to controlled profiles or environments, and prefer platform-level privacy controls where available. These are general risk-management steps; they are not claims about any company's internal controls.
What to watch
Observers will track whether browser extension stores or vendors remove the identified extensions, whether affected developers publish disclosure statements, and whether further instances of the same infrastructure appear in other extensions. Notebookcheck is the reporting source for the details above, based on the MalExt Sentry disclosure.
Key Points
- 1Browser extensions with page-level access are a direct exfiltration vector for both prompts and model outputs, expanding attackers' data sources.
- 2Malicious extensions often remain installed by delivering core advertised functionality while harvesting sensitive data in the background.
- 3Practitioners using web-based LLMs should treat prompt and response content as potentially observable by third-party client-side code.
Scoring Rationale
Confirmed threat: two malicious browser extensions (Smart Adblocker, Adblock for Browser) harvested AI conversations from ~90,000 users across 8 platforms including Claude, ChatGPT, and Gemini, capturing prompts up to 10,000 chars and responses up to 30,000 chars along with subscription tier data. Primary source is the MalExt Sentry technical report (June 13, 2026) with multiple independent corroborating outlets. Directly affects LDS audience who use web-based AI tools. Score 7.1 reflects real-world confirmed exfiltration at scale with a clear practitioner threat model.
Practice with real Ad Tech data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Ad Tech problems
