Expel Warns of 'Prompt Poaching' Chrome Extensions That Steal AI Chat Conversations
Security firm Expel has uncovered a wave of malicious Chrome extensions that secretly monitor browser tabs for AI chatbot sessions and exfiltrate user prompts and responses to attacker-controlled servers.
Security firm Expel has warned of a growing threat from malicious Chrome extensions that secretly steal users' AI chatbot conversations, a technique the company has dubbed 'prompt poaching.' In a blog post published on March 24, Expel reported observing 'several dozen' incidents over the past month where seemingly legitimate browser extensions monitored open tabs for AI client sessions and exfiltrated both user prompts and AI responses via API interception or DOM scraping.
The extensions, once they detect an active AI chatbot session, collect the questions and answers and package them for transmission to an external server controlled by the extension's developers. This exposes sensitive data, intellectual property, and even credentials that users may inadvertently share with AI assistants. Expel identified two primary tactics used by attackers to distribute these malicious extensions.
The first tactic involves impersonating legitimate AI-related extensions. Examples include 'Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI' and 'Talk to ChatGPT' from a developer named AITOPIA. A report from December 2025 claimed that two such malicious extensions had amassed as many as 900,000 unwitting users. The second tactic is more insidious: attackers develop and market a legitimate extension, build a user base, and then insert malicious functionality via an update. Expel highlighted the 'Urban VPN Proxy' tool as an example of this approach.
The risks extend beyond simple privacy violations. Expel warned that these plugins open the door to identity theft, targeted phishing campaigns, and the sale of sensitive data on underground forums. For organizations, the consequences can be severe, including the exposure of intellectual property, customer data, and other confidential information. The stolen AI conversations can provide attackers with a treasure trove of business insights, strategic plans, and personal information.
To mitigate the risk, Expel recommends that businesses prohibit the downloading of AI-related browser extensions and centrally manage employee use of extensions through group policies or browser management consoles. Organizations should also suggest approved alternatives to reduce the likelihood of users installing potentially dangerous extensions, review extension permissions before installation, and run periodic audits to monitor browser processes for connections to unknown domains.
The emergence of prompt poaching highlights a new attack vector targeting the growing reliance on AI assistants in the workplace. As AI tools become more integrated into daily workflows, the data they process becomes increasingly valuable to attackers. This trend underscores the need for organizations to extend their security policies to cover AI interactions and to treat browser extensions with the same scrutiny as any other software deployment.