Malicious Chromium Extensions Harvest Enterprise LLM Chats

Microsoft Defender investigated malicious Chromium-based browser extensions that impersonate AI assistant tools and collected LLM chat histories and browsing data, reaching about 900,000 installs and impacting over 20,000 enterprise tenants. The extensions exfiltrated full URLs, chat snippets, model names, and persistent identifiers to domains such as deepaichats[.]com and chatsaigpt[.]com, creating significant privacy and compliance risks for organizations.
Key Points
- 1Collects full URLs, AI chat snippets, model names, and UUIDs from ChatGPT and DeepSeek sessions.
- 2Targets enterprise users; telemetry observed across more than 20,000 enterprise tenants, increasing leakage risk.
- 3Audit and restrict extensions, monitor POST traffic to known domains, and inspect impacted devices immediately.
Scoring Rationale
Official Microsoft Defender telemetry and large-scale enterprise exposure drive a top impact score with clear mitigation guidance.
Sources
Public references used for this report.
Practice with real Logistics & Shipping data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Logistics & Shipping problems


