A Chrome extension that promises security and privacy, has received good ratings from users and a “Featured” badge from Google, and is being used by more than 6 million people is actually collecting every prompt users put into 10 of the most popular AI chat platforms, including OpenAI’s ChatGPT, Google’s Gemini, Anthropic’s Claude, and Microsoft’s Copilot.

It then is sharing the information gathered – which includes not only the prompts but also the chatbot responses, conversation identifiers and timestamps, session metadata, and the AI platform and model used – with third parties like advertisers and data brokers, according to security researchers from startup Koi Security.

To make matters worse, the researchers began looking for similar extensions and found seven others from the same publisher and with the same functionality across both Chrome and Edge, upping the number of exposed users to 8 million, according to Idan Dardikman, co-founder and chief technology officer at Koi.

It’s the latest example of the security risks that people take when installing an extension to enhance their browsing experience.

“While browser extensions can be a useful tool for web users, they also create a significant set of security risks,” Hari Holla, senior product manager for CrowdStrike, wrote in a blog post earlier this year. “Think of a browser extension as a door – on one hand it opens the user to a world of new possibilities; on the other, it can also serve as a gateway to exploits.”

Legitimate extensions typically need significant permissions from the user to run properly but some request more access than what is needed, and “these permissions can be exploited, granting malicious actors access to sensitive data and confidential information, including web traffic, saved credentials, session cookies and clipboard data,” Holla wrote.

‘A Unique Position of Trust’

Koi’s Dardikman wrote in a report this week that “browser extensions occupy a unique position of trust. They run in the background, have broad access to your browsing activity, and auto-update without asking. When an extension promises privacy and security, users have little reason to suspect it’s doing the opposite.”

Koi researchers used the company’s Wings agentic AI risk engine to scan for browser extensions capable of reading and exfiltrating conversations from AI chat sessions, he wrote. High on the returned list was Urban VPN Proxy, a Chrome extension promising a free VPN for security and privacy, which is a tool that Dardikman wrote is the sort of extension a person who wants to protect their online privacy would install.

And more than 6 million people did, likely due in part to the 4.7-star rating from 58,000 reviews and the Featured badge, passing a manual review and meeting Google’s requirements for offering a “high standard of user experience and design.”

First Legitimate, Then Shady

According to Koi, it did just that for a while. Before version 5.5.0, the extension didn’t include the ability to harvest AI chat conversations. With version 5.5.0, AI harvesting was enabled by default, so users who installed the extension after that had their conversations grabbed and exfiltrated.

“Anyone who used ChatGPT, Claude, Gemini, or the other targeted platforms while Urban VPN was installed after July 9, 2025 should assume those conversations are now on Urban VPN’s servers and have been shared with third parties,” Dardikman wrote. “Medical questions, financial details, proprietary code, personal dilemmas – all of it, sold for ‘marketing analytics purposes.’”

Offering a legitimate extension and only later enabling the malicious capabilities echoes back to the recent case of ShadyPanda, a group that spent seven years uploading seemingly legitimate Chrome and Edge extensions into browser marketplaces to build trust and large user bases before weaponizing them with spyware and other threats through malicious updates.

From Harvesting to Selling

With Urban VPN Proxy, when a user visits one of the designated AI chat platforms, the extension injects an “executor” script onto the page, with each platform having its own dedicated script. The script then overrides browser APIs that handle network requests, which Dardikman called “an aggressive technique.”

“The script wraps the original functions so that every network request and response on that page passes through the extension’s code first,” he wrote. “This means when Claude sends you a response, or when you submit a prompt to ChatGPT, the extension sees the raw API traffic before your browser even renders it.”

The script goes through the intercepted API responses to collect and package the conversation data and sends it to the content script. From there, the data is compressed and sent to Urban VPN servers, and then onto third parties.

The identical harvesting functionality is found in three other extensions in the Chrome Web Store – another one advertised as a VPN proxy, the other two as a browser guard and ad blocker – and in four in Microsoft Edge, again two VPN proxies, a browser guard, and an ad blocker.

A History of Extracting Browser Data

Koi tracked the extensions back to Urban Cyber Security, which operates Urban VPN and is affiliated with BiScience, a data broker has been tied with other instances of collecting browsing data and selling it through products like AdClarity and Clickstream OS, Dardikman wrote.

BiScience’s activities were documented by researchers with Secure Annex earlier this year.

“Our finding represents an expansion of this operation,” he wrote. “BiScience has moved from collecting browsing history to harvesting complete AI conversations-a significantly more sensitive category of data.”

BiScience discloses that is shares the data with third parties, though he wrote that it’s “buried deep” in the extension’s privacy policy, adding that there are contradictions, such as the consent prompt saying AI monitoring is protective while the privacy policy reveals the data is sold for marketing.

Unearned Trust

Dardikman also questioned Google’s fixing the “Featured” badge to the extension.

“What makes this case notable isn’t just the scale – 8 million users – or the sensitivity of the data – complete AI conversations,” he wrote. “It’s that these extensions passed review, earned Featured badges, and remained live for months while harvesting some of the most personal data users generate online. The marketplaces designed to protect users instead gave these extensions their stamp of approval.”