Security researchers reported that the Chrome extension Urban VPN Proxy was observed silently collecting every prompt entered into several AI-powered chatbots and the chatbots’ responses, according to an analysis published by Koi Security. The extension, which is listed on the Chrome Web Store, has a reported 4.7 rating and, together with other publisher listings, millions of users; the listing on the Microsoft Edge Add-ons marketplace shows about 1.3 million installations on that platform.
The behavior was introduced in an update released July 9, 2025, when the extension’s version 5.5.0 allegedly activated AI data harvesting by default, researchers said. The analysis describes a tailored executor JavaScript that injects per-platform scripts (for example, chatgpt.js and claude.js), overrides fetch() and XMLHttpRequest() use, captures conversation data and exfiltrates it to remote endpoints, according to the research report.
Researchers said the captured data includes the user-entered prompts, chatbot responses, conversation identifiers and timestamps, session metadata, and the AI platform and model used. The report also names two domains where the data was sent; the analysis and technical details are provided by the researchers.
The extension’s updated privacy policy dated June 25, 2025, states the company collects such browsing and AI interaction data to support features described as Safe Browsing and for marketing analytics, and asserts that other uses will be carried out on de-identified and aggregated data while acknowledging that sensitive personal information may be processed.
Those findings raised questions about downstream sharing. The publisher is listed in business records as Urban Cyber Security Inc, and the company is linked to an ad intelligence firm named BIScience, which the researchers said receives web browsing data that can be used commercially. An earlier critique by an anonymous researcher accused BIScience of collecting clickstream data under misleading disclosures, and other reporting outlines how an SDK was used to transmit data to third-party endpoints.
Koi Security also reported finding identical AI-harvesting functionality in three other extensions from the same publisher, bringing the combined install base to more than eight million, and noted that most of these extensions display a “Featured” badge. Observers said such badges can give users the impression of an endorsement.
Researchers and independent reporting have underscored growing use of AI chatbots for personal matters and advice, which increases the sensitivity of interaction data, and the researchers warned that marketplace trust markers can be abused to amass sensitive data at scale.