Security researchers have uncovered a popular Chrome browser extension that was quietly capturing everything users typed into ChatGPT and other artificial intelligence tools, raising serious concerns about privacy and data misuse.
The extension in question is Urban VPN Proxy, which has a 4.7 rating on the Google Chrome, and was featured in th
e Chrome Web Store with a 6 million users. On the Microsoft Edge Add-ons marketplace, it has 1.3 million installations.
Analysts found that it was silently intercepting user inputs without explicit consent. According to investigators, text entered into AI chat interfaces, including prompts and responses, was being logged and potentially transmitted to third parties for unknown purposes.
Although the extension markets itself as a privacy tool that helps users “protect your online identity, stay protected, and hide your IP,” investigators found that a July 9, 2025 update quietly introduced a very different capability. Version 5.5.0 enabled AI chat data collection by default through hard coded settings, without clearly informing users or requiring opt in consent.
Researchers determined that the extension deploys custom JavaScript files tailored to specific AI platforms. The report suggests that Urban VPN Proxy targets conversations across ten AI platforms:
These scripts automatically activate whenever a user visits any of the supported AI services, allowing the extension to intercept conversations in real time.
Once injected, the code overrides core browser networking functions such as fetch and XMLHttpRequest. By inserting itself into these APIs, the extension ensures that all network traffic related to AI chats passes through its own logic first. This allows it to capture both user prompts and AI generated responses before forwarding the data onward.
Captured conversations are then transmitted to external analytics infrastructure controlled by the extension’s operator. Investigators traced the exfiltration endpoints to two remote servers used for tracking and data collection, raising serious concerns about how sensitive user interactions with AI tools were being harvested under the guise of online privacy protection.
“Chrome and Edge extensions auto-update by default,” Koi Security’s Idan Dardikman said in a report published. “Users who installed Urban VPN for its stated purpose – VPN functionality – woke up one day with new code silently harvesting their AI conversations.”
When you interact with the VPN, here’s what gets logged:
Cybersecurity analysts warn that browser extensions have broad access to content displayed and entered within the browser. It makes them a frequent attack vector for malicious actors. In this case, the extension abused granted permissions to monitor users’ interactions with AI applications, turning a trusted tool into a privacy threat.
In June 2025, Urban VPN updated their privacy policy as follows:
As part of the Browsing Data, we will collect the prompts and outputs quired [sic] by the End-User or generated by the AI chat provider, as applicable. Meaning, we are only interested in the AI prompt and the results of your interaction with the chat AI.
Due to the nature of the data involved in AI prompts, some sensitive personal information may be processed. However, the purpose of this processing is not to collect personal or identifiable data, we cannot fully guarantee the removal of all sensitive or personal information, we implement measures to filter out or eliminate any identifiers or personal data you may submit through the prompts and to de-identify and aggregate the data.
Urban VPN maintains that this data is collected for ” Safe Browsing and for marketing analytics purposes.” On its Chrome Web Store listing, Urban VPN also promotes an “AI protection” feature. The company says this tool scans prompts for personal information, checks chatbot responses for unsafe links, and warns users before they submit sensitive content or click on potentially risky links. On the surface, it sounds like a safeguard. The problem, according to researchers, is that this framing leaves out a critical detail. The data collection continues whether or not the protection feature is turned on.
Incidents like these are not unique: In 2025 alone, numerous campaigns have surfaced involving compromised and malicious extensions, particularly targeting Chrome users. Previous research has revealed that threat actors systematically hijacked seemingly legitimate Chrome and Edge extensions and transformed them into spyware or data collectors, sometimes after years on the extension marketplace.