Microsoft published research this month documenting a growing wave of browser extensions built specifically to harvest AI chat conversations. This is not theoretical anymore. Between the Urban VPN incident (8 million users), the AITOPIA impersonator campaigns (900,000 users), and Microsoft's own findings on passive collection techniques, we now have enough data to understand exactly how these attacks work at a technical level.
Let's break down the actual techniques. If you understand the mechanics, you will be far better equipped to spot the warning signs before your data walks out the door.
Technique 1: Overriding Fetch and XMLHttpRequest
This is one of the most elegant and dangerous techniques in the attacker's playbook. Instead of scraping the page after content loads, the extension intercepts the data as it flows between your browser and the AI platform's servers.
Here is how it works. A content script injected into the AI chat page overwrites the browser's native fetch() and XMLHttpRequest functions with modified versions. The modified versions behave identically to the originals, passing requests and responses through normally, but they also copy the response data to a location the extension controls.
// Simplified example of a fetch override
const originalFetch = window.fetch;
window.fetch = async function(...args) {
const response = await originalFetch.apply(this, args);
const clone = response.clone();
clone.text().then(body => {
// Send intercepted data to extension background worker
window.postMessage({ type: 'intercepted', url: args[0], body: body }, '*');
});
return response;
};The user sees nothing unusual. ChatGPT or Claude loads and works perfectly. But every API response, which contains the full text of AI-generated replies and often the user's prompts, gets silently duplicated. The Urban VPN extension used a variation of this technique across eight different AI platforms. Because the extension was a legitimate VPN tool that actually worked, nobody questioned why it needed broad host permissions.
Technique 2: DOM Scraping of AI Chat Pages
DOM scraping is the more straightforward approach, and it is what the AITOPIA impersonator extensions relied on. The content script waits for the AI chat page to fully render, then queries the DOM for elements containing conversation text.
AI chat interfaces follow predictable HTML structures. Messages are rendered in container elements with consistent class names or data attributes. A content script can use document.querySelectorAll() to grab every message on the page, then use a MutationObserver to watch for new messages as the conversation continues.
// Simplified DOM scraping pattern
const observer = new MutationObserver(mutations => {
for (const mutation of mutations) {
mutation.addedNodes.forEach(node => {
if (node.nodeType === 1) {
const messages = node.querySelectorAll('[data-message-id]');
messages.forEach(msg => {
stageData(msg.textContent);
});
}
});
}
});
observer.observe(document.body, { childList: true, subtree: true });The AITOPIA extensions took this a step further. They also scraped authentication tokens from cookies and local storage on the AI platform domains. With your auth token, an attacker does not just get the conversation happening right now. They can access your entire chat history through the platform's API, including conversations from weeks or months before you ever installed the extension.
Technique 3: Data Staging in localStorage
This is the technique that Microsoft's March 2026 research focused on, and it is the hardest to detect. Rather than immediately sending stolen data to an external server, the extension stores it locally first.
The extension writes intercepted conversation data to localStorage or chrome.storage.local under innocuous-looking keys. Instead of a key named stolen_chats, you might see something like _ext_cache_v2 or analytics_buffer. The data is typically base64-encoded or lightly obfuscated to avoid detection during casual inspection.
Why stage locally instead of sending data immediately? Two reasons. First, it avoids triggering network anomaly detection. A single large POST request containing chat data to an unknown server is suspicious. Small periodic syncs that blend in with normal browsing traffic are not. Second, it allows the extension to batch and compress data before transmission, reducing the number of outbound requests and making each one look less unusual.
Microsoft's researchers found extensions that would accumulate data for hours or even days before transmitting. Some would only exfiltrate during periods of active browsing, piggybacking on the noise of legitimate network requests to stay hidden.
Technique 4: Scheduled Exfiltration to C2 Servers
Once data is staged, it needs to leave the browser. Malicious extensions use the background service worker (in Manifest V3) or a background page (in older Manifest V2 extensions) to handle this.
The exfiltration often disguises itself as legitimate traffic. Common patterns include:
- Fake analytics calls: Data is encoded into query parameters or POST bodies sent to domains that look like analytics services. A request to
metrics-cdn.example.com/collectdoes not raise alarms the way a request toevil-server.ru/uploadwould. - Image pixel requests: Chat data gets encoded into the URL of an image request. The "image" is a 1x1 pixel, and the server decodes the data from the URL parameters.
- WebSocket connections: Some extensions establish persistent WebSocket connections that blend in with the real-time connections AI chat platforms already use.
The C2 (command and control) server on the receiving end can also push instructions back to the extension, telling it which platforms to target, what data to collect, or when to go dormant to avoid detection during security audits.
Technique 5: Selective Content Script Activation
Sophisticated malicious extensions do not activate their data collection on every page. They specifically target AI platform URLs and stay completely dormant everywhere else. This is a deliberate design choice to avoid detection.
In the extension's manifest.json, the content script declaration targets specific URL patterns:
"content_scripts": [{
"matches": [
"https://chat.openai.com/*",
"https://claude.ai/*",
"https://gemini.google.com/*",
"https://copilot.microsoft.com/*"
],
"js": ["content.js"]
}]Some extensions go even further, using programmatic injection through chrome.scripting.executeScript() so that the targeting logic lives in the background worker and never appears in the manifest at all. The manifest might request broad permissions, but the actual injection only happens on AI chat pages. This makes static analysis of the manifest alone insufficient for detection.
How AI Chat Shield's 6-Factor Scoring Catches Each Pattern
AI Chat Shield was built to detect these specific techniques. Its multi-factor scoring system evaluates extensions across six dimensions, and each of the techniques described above triggers one or more of these factors.
Factor 1: Permission Scope Analysis
The fetch/XMLHttpRequest override technique requires broad host permissions. An extension cannot override fetch() on ChatGPT's domain without permission to inject scripts there. AI Chat Shield flags extensions that request <all_urls> or specific AI platform host permissions, especially when those permissions do not align with the extension's stated purpose.
Factor 2: Content Script Targeting
The selective activation technique is actually a double-edged sword for attackers. Yes, it helps them avoid detection by traditional tools, but it also creates a clear signal. AI Chat Shield specifically examines whether an extension's content scripts target AI platform URLs. A VPN extension with content scripts on chat.openai.com is an immediate red flag.
Factor 3: Known Malicious Signatures
The fetch override and DOM scraping patterns have recognizable code structures. AI Chat Shield maintains a signature database that identifies these patterns, including variations that use obfuscation to disguise the underlying logic. The AITOPIA extensions used minified and variable-renamed versions of these patterns, but the structural signatures remained detectable.
Factor 4: Network Request Monitoring
The scheduled exfiltration technique generates network requests from the extension's context while the user is on AI chat pages. AI Chat Shield monitors these requests in real time, evaluating their destinations, payload sizes, and timing patterns. Requests to unfamiliar domains carrying encoded payloads trigger a significant score increase.
Factor 5: DOM Access Behavior
DOM scraping creates specific, detectable access patterns. Reading message container elements, attaching MutationObservers to chat feeds, and copying text content from conversation nodes are all behaviors that AI Chat Shield's scoring engine recognizes. These patterns are distinct from benign DOM interactions like applying themes or adjusting layouts.
Factor 6: Behavioral Change Detection
The localStorage staging technique often appears after an extension update. An extension that previously had no storage activity on AI chat pages suddenly starts writing data to localStorage after an update. AI Chat Shield tracks behavioral baselines for each extension and flags deviations, catching the "legitimate-to-malicious pipeline" that the Urban VPN case exemplified.
Three Permission Flags That Signal Potential AI Chat Interception
You do not need specialized tools to perform a first-pass check on your extensions. These three permission patterns in an extension's manifest are strong indicators of potential AI chat interception capability:
<all_urls>or broad host permissions with content script injection. If an extension can inject scripts into any page you visit, it can inject scripts into AI chat pages. This is the foundational permission that makes every other technique possible. Ask yourself whether the extension genuinely needs access to every website. A grammar checker might. A calculator app does not.webRequestordeclarativeNetRequestcombined with AI platform URL patterns. These permissions let an extension monitor, modify, or redirect network traffic. When combined with access to AI chat domains, they enable the fetch interception and exfiltration techniques described above. This combination is particularly concerning when the extension has no obvious reason to interact with network requests on those domains.storagepermission alongside content script access to AI domains. The storage permission by itself is harmless. Most extensions use it for settings and preferences. But when combined with content scripts that run on AI chat pages, it enables the data staging technique. The extension can read your conversations through DOM scraping and cache them in storage before exfiltrating later. Look for this combination especially in extensions that do not obviously need to store data from AI platforms.
How to Inspect Extension Content Scripts Yourself
You can verify what an extension is actually doing on your machine right now. Here is the process:
- Open Developer Mode. Navigate to
chrome://extensionsin your browser and toggle "Developer mode" on using the switch in the top-right corner. - Find the extension's directory. Each extension now shows an ID string (a long sequence of letters). Click "Details" on the extension you want to inspect, and note the ID. On Windows, extension files live in
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\[extension-id]. On macOS, check~/Library/Application Support/Google/Chrome/Default/Extensions/[extension-id]. - Read the manifest.json. Open the extension's folder and read
manifest.json. Look for thecontent_scriptssection. This tells you exactly which URLs the extension injects scripts into. If you see AI platform URLs listed here and the extension has nothing to do with AI, that is a problem. - Examine the content scripts. Open the JavaScript files listed in the content scripts section. Look for patterns like
window.fetch =,XMLHttpRequest.prototype,MutationObserver,document.querySelectorAlltargeting message elements, and any calls tolocalStorage.setItemorchrome.storage. These are the building blocks of the interception techniques covered in this article. - Check the background worker. Open the service worker file listed in the manifest. Look for outbound network requests using
fetch()that send data to external domains. Pay attention to any base64 encoding, URL parameter construction with large payloads, or WebSocket connections.
This process takes about ten minutes per extension. For most people, that is practical for their three to five most critical extensions but not for a full audit of everything installed. That is where automated tools fill the gap.
Automated Protection: Why Manual Inspection Is Not Enough
Manual inspection can tell you what an extension looks like at a single point in time. It cannot tell you what happens after the next update. The Urban VPN extension passed manual inspection for months before its behavior changed. The AITOPIA extensions were functional AI tools with clean-looking code that happened to also steal everything you typed.
The March 2026 Microsoft research specifically highlighted that passive collection techniques are designed to evade one-time audits. The data staging approach, where stolen data sits in localStorage for hours or days before exfiltration, means that even monitoring network traffic during a brief inspection window will miss the actual data theft.
AI Chat Shield runs continuously. It scores every extension on your system across all six factors, monitors for behavioral changes after updates, and alerts you when an extension's risk profile shifts. It caught patterns matching the Urban VPN technique within seconds of analyzing extensions with similar permission and content script configurations. If you use AI chat tools for anything sensitive, whether that is business strategy, code, client data, or personal matters, continuous automated monitoring is the realistic path to staying protected.
"The extensions that steal your AI conversations are the ones that work perfectly. They do exactly what they promise, and quietly do one more thing you never agreed to."
The techniques in this article are not edge cases. They have been deployed against millions of real users across multiple campaigns in the past four months alone. Understanding them is the first step. Acting on that understanding, whether through manual audits, automated scanning with AI Chat Shield, or both, is what actually keeps your conversations private.