Microsoft published research this month documenting a growing wave of browser extensions built specifically to harvest AI chat conversations. This is not theoretical anymore. Between the Urban VPN incident (8 million users), the AITOPIA impersonator campaigns (900,000 users), and Microsoft's own findings on passive collection techniques, we now have enough data to understand exactly how these attacks work at a technical level.

Let's break down the actual techniques. If you understand the mechanics, you will be far better equipped to spot the warning signs before your data walks out the door.

Technique 1: Overriding Fetch and XMLHttpRequest

This is one of the most elegant and dangerous techniques in the attacker's playbook. Instead of scraping the page after content loads, the extension intercepts the data as it flows between your browser and the AI platform's servers.

Here is how it works. A content script injected into the AI chat page overwrites the browser's native fetch() and XMLHttpRequest functions with modified versions. The modified versions behave identically to the originals, passing requests and responses through normally, but they also copy the response data to a location the extension controls.

// Simplified example of a fetch override
const originalFetch = window.fetch;
window.fetch = async function(...args) {
    const response = await originalFetch.apply(this, args);
    const clone = response.clone();
    clone.text().then(body => {
        // Send intercepted data to extension background worker
        window.postMessage({ type: 'intercepted', url: args[0], body: body }, '*');
    });
    return response;
};

The user sees nothing unusual. ChatGPT or Claude loads and works perfectly. But every API response, which contains the full text of AI-generated replies and often the user's prompts, gets silently duplicated. The Urban VPN extension used a variation of this technique across eight different AI platforms. Because the extension was a legitimate VPN tool that actually worked, nobody questioned why it needed broad host permissions.

Technique 2: DOM Scraping of AI Chat Pages

DOM scraping is the more straightforward approach, and it is what the AITOPIA impersonator extensions relied on. The content script waits for the AI chat page to fully render, then queries the DOM for elements containing conversation text.

AI chat interfaces follow predictable HTML structures. Messages are rendered in container elements with consistent class names or data attributes. A content script can use document.querySelectorAll() to grab every message on the page, then use a MutationObserver to watch for new messages as the conversation continues.

// Simplified DOM scraping pattern
const observer = new MutationObserver(mutations => {
    for (const mutation of mutations) {
        mutation.addedNodes.forEach(node => {
            if (node.nodeType === 1) {
                const messages = node.querySelectorAll('[data-message-id]');
                messages.forEach(msg => {
                    stageData(msg.textContent);
                });
            }
        });
    }
});
observer.observe(document.body, { childList: true, subtree: true });

The AITOPIA extensions took this a step further. They also scraped authentication tokens from cookies and local storage on the AI platform domains. With your auth token, an attacker does not just get the conversation happening right now. They can access your entire chat history through the platform's API, including conversations from weeks or months before you ever installed the extension.

Technique 3: Data Staging in localStorage

This is the technique that Microsoft's March 2026 research focused on, and it is the hardest to detect. Rather than immediately sending stolen data to an external server, the extension stores it locally first.

The extension writes intercepted conversation data to localStorage or chrome.storage.local under innocuous-looking keys. Instead of a key named stolen_chats, you might see something like _ext_cache_v2 or analytics_buffer. The data is typically base64-encoded or lightly obfuscated to avoid detection during casual inspection.

Why stage locally instead of sending data immediately? Two reasons. First, it avoids triggering network anomaly detection. A single large POST request containing chat data to an unknown server is suspicious. Small periodic syncs that blend in with normal browsing traffic are not. Second, it allows the extension to batch and compress data before transmission, reducing the number of outbound requests and making each one look less unusual.

Microsoft's researchers found extensions that would accumulate data for hours or even days before transmitting. Some would only exfiltrate during periods of active browsing, piggybacking on the noise of legitimate network requests to stay hidden.

Technique 4: Scheduled Exfiltration to C2 Servers

Once data is staged, it needs to leave the browser. Malicious extensions use the background service worker (in Manifest V3) or a background page (in older Manifest V2 extensions) to handle this.

The exfiltration often disguises itself as legitimate traffic. Common patterns include:

The C2 (command and control) server on the receiving end can also push instructions back to the extension, telling it which platforms to target, what data to collect, or when to go dormant to avoid detection during security audits.

Technique 5: Selective Content Script Activation

Sophisticated malicious extensions do not activate their data collection on every page. They specifically target AI platform URLs and stay completely dormant everywhere else. This is a deliberate design choice to avoid detection.

In the extension's manifest.json, the content script declaration targets specific URL patterns:

"content_scripts": [{
    "matches": [
        "https://chat.openai.com/*",
        "https://claude.ai/*",
        "https://gemini.google.com/*",
        "https://copilot.microsoft.com/*"
    ],
    "js": ["content.js"]
}]

Some extensions go even further, using programmatic injection through chrome.scripting.executeScript() so that the targeting logic lives in the background worker and never appears in the manifest at all. The manifest might request broad permissions, but the actual injection only happens on AI chat pages. This makes static analysis of the manifest alone insufficient for detection.

How AI Chat Shield Prioritizes a First-Pass Review

AI Chat Shield does not inspect another extension's source code or runtime traffic. It uses the metadata Chrome exposes through the management API to calculate a five-factor capability-exposure score. That score can point you toward extensions that deserve manual or runtime investigation; it cannot confirm the techniques described above.

Factor 1: Permission Scope Analysis

Broad host permissions such as <all_urls> score higher than narrow access. Broad access does not prove injection or collection, but it increases the possible blast radius.

Factor 2: AI-Site Host Access

The scanner distinguishes host permissions that explicitly name supported AI domains from wildcards that cover every site. Chrome's management API does not reveal the full content-script declaration, so this factor is deliberately described as host access rather than observed injection.

Factor 3: Request and External Access

Declared permissions such as webRequest, declarativeNetRequest, proxy control, and native messaging can influence requests or connect the extension to other software. AI Chat Shield scores those declarations; it does not inspect destinations, payloads, or timing.

Factor 4: Sensitive Browser Access

History, cookies, downloads, clipboard, debugger, page-modification, extension-management, and identity permissions are grouped into readable categories. Multiple high-impact categories raise the review priority.

Factor 5: Install Source

Chrome reports whether an extension was installed normally, by an administrator, in development mode, or through a sideload path. This context is not a reputation score, but development and sideloaded installations deserve additional verification.

Three Permission Flags That Signal Potential AI Chat Interception

You do not need specialized tools to perform a first-pass check on your extensions. These three permission combinations deserve review because they expand what an extension could do:

  1. <all_urls> or broad host permissions with content script injection. If an extension can inject scripts into any page you visit, it can inject scripts into AI chat pages. This is the foundational permission that makes every other technique possible. Ask yourself whether the extension genuinely needs access to every website. A grammar checker might. A calculator app does not.
  2. webRequest, webRequestBlocking, or declarativeNetRequest combined with AI platform access. Depending on the API and granted host access, these permissions can observe, block, redirect, or modify requests. They deserve scrutiny when request handling is unrelated to the extension's purpose.
  3. Sensitive browser data or external bridges combined with broad access. Cookies, history, clipboard, debugger, native messaging, and identity permissions have legitimate uses, but the combination should make sense for the product you installed.

How to Inspect Extension Content Scripts Yourself

You can verify what an extension is actually doing on your machine right now. Here is the process:

  1. Open Developer Mode. Navigate to chrome://extensions in your browser and toggle "Developer mode" on using the switch in the top-right corner.
  2. Find the extension's directory. Each extension now shows an ID string (a long sequence of letters). Click "Details" on the extension you want to inspect, and note the ID. On Windows, extension files live in %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\[extension-id]. On macOS, check ~/Library/Application Support/Google/Chrome/Default/Extensions/[extension-id].
  3. Read the manifest.json. Open the extension's folder and read manifest.json. Look for the content_scripts section. This tells you exactly which URLs the extension injects scripts into. If you see AI platform URLs listed here and the extension has nothing to do with AI, that is a problem.
  4. Examine the content scripts. Open the JavaScript files listed in the content scripts section. Look for patterns like window.fetch =, XMLHttpRequest.prototype, MutationObserver, document.querySelectorAll targeting message elements, and any calls to localStorage.setItem or chrome.storage. These are the building blocks of the interception techniques covered in this article.
  5. Check the background worker. Open the service worker file listed in the manifest. Look for outbound network requests using fetch() that send data to external domains. Pay attention to any base64 encoding, URL parameter construction with large payloads, or WebSocket connections.

This process takes about ten minutes per extension. For most people, that is practical for their three to five highest-exposure extensions but not for everything installed. A permission audit can help choose where to start.

Why Capability Review and Runtime Evidence Are Different

Manual inspection can tell you what an extension looks like at a single point in time. It cannot tell you what happens after the next update. The Urban VPN extension passed manual inspection for months before its behavior changed. The AITOPIA extensions were functional AI tools with clean-looking code that happened to also steal everything you typed.

The March 2026 Microsoft research specifically highlighted that passive collection techniques are designed to evade one-time audits. The data staging approach, where stolen data sits in localStorage for hours or days before exfiltration, means that even monitoring network traffic during a brief inspection window will miss the actual data theft.

AI Chat Shield automates the capability review. It scores declared access across five implemented factors, rescans after install, enable, disable, or removal events, and lets you rerun the scan after an update. It does not detect code signatures, DOM reads, network exfiltration, or behavioral changes. Those require source analysis, managed-browser telemetry, endpoint controls, or a dedicated runtime product.

"The extensions that steal your AI conversations are the ones that work perfectly. They do exactly what they promise, and quietly do one more thing you never agreed to."


The techniques in this article have been deployed against millions of users across documented 2025 and 2026 campaigns. Understanding them is the first step. A practical defense combines extension minimization, permission review, manual inspection of high-exposure tools, and runtime controls where sensitive work justifies them.

Related Reading