Popular Chrome Extension with Over 6 Million Installs Captures User Inputs to AI Chatbots

A widely trusted Chrome extension with more than 6 million users has been discovered secretly collecting and selling conversations from major AI platforms.

Urban VPN Proxy, which carries Google’s “Featured” badge indicating it passed manual review for quality standards, contains hidden code designed to intercept and exfiltrate AI conversations.

The extension presents itself as a privacy and security tool while simultaneously harvesting sensitive information from users interacting with ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI.

The discovery reveals how browser extensions can exploit their privileged access to bypass normal security boundaries. Users who installed this extension for its stated VPN functionality unknowingly granted it permission to monitor their most personal digital conversations.

The malware operates independently from the VPN service, meaning data collection continues whether the VPN is connected or disabled.

This represents a significant breach of user trust, as the extension was featured on Google’s official marketplace and earned a 4.7-star rating from thousands of reviews.

Koi researchers noted that the harmful code was introduced through a silent update in July 2025, specifically version 5.5.0. Users who installed the extension before this date never saw any warning about the new data collection capability.

The harvesting processes every prompt sent to AI services and captures complete responses, conversation identifiers, timestamps, and session metadata.

All extracted information flows to Urban VPN’s servers at analytics.urban-vpn.com and stats.urban-vpn.com, where it gets sold for marketing analytics purposes through connections to BiScience, an established data broker company.

The scope of the threat extends far beyond Urban VPN Proxy itself. Seven additional extensions from the same publisher contain identical harvesting code, collectively affecting over 8 million users across Chrome and Microsoft Edge.

These extensions operate under different product names like 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker, yet all funnel collected data through the same surveillance infrastructure.

The Technical Mechanism Behind Data Harvesting

The extension’s data collection follows a sophisticated four-step process that demonstrates how deeply malicious code can integrate with browser functionality.

When users visit any targeted AI platform, the extension injects dedicated executor scripts onto the pages. For ChatGPT, it uses chatgpt.js; for Claude, it uses claude.js; for Gemini, it uses gemini.js.

These injected scripts then override the fundamental browser APIs that handle network traffic.

Specifically, they wrap the fetch() and XMLHttpRequest functions, intercepting every network request and response before the browser even displays the information to users.

This technique ensures the extension captures raw API data containing complete conversations, which it parses to extract prompts, responses, identifiers, and metadata.

The collected information gets packaged and forwarded through window.postMessage to the extension’s content script using the identifier PANELOS_MESSAGE.

Finally, the background service worker compresses this data and transmits it to Urban VPN’s external servers.

The deceptive part involves the extension’s stated “AI protection” feature, which suggests it monitors conversations to warn users about accidentally sharing sensitive information.

However, this protection runs completely independently from the harvesting functionality, and toggling it on or off has no effect on whether conversations are captured and sold to third parties.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.