A pair of popular browser extensions masquerading as legitimate ad blockers were caught red-handed intercepting sensitive artificial intelligence prompts and user metadata, security researchers revealed on June 13, 2026. The discovery, detailed in a report by cybersecurity firm MalExt Sentry, exposes a stealthy operation that funneled private conversations with AI tools—including queries, responses, and account identifiers—to unknown servers without user consent.

The offending extensions, identified as Smart Adblocker and Adblock for Browser, had been available on major extension repositories including the Chrome Web Store and Firefox Add-ons. Combined, they amassed over 2.5 million active users at the time of takedown, unwittingly exposing a treasure trove of intellectual property, personal information, and proprietary data every time they interacted with services like ChatGPT, Google Bard, or enterprise AI dashboards.

How the Malicious Extensions Operated

MalExt Sentry’s technical analysis reveals a sophisticated injection mechanism that remained dormant until users accessed a known AI chat interface. Upon activation, the extensions silently injected a content script that hooked into the DOM, capturing every keystroke and server response in real time. This included not only the text of prompts and completions but also metadata such as timestamps, session cookies, user emails, and in some cases, API tokens stored in local storage.

All captured data was base64-encoded and transmitted in chunks to a command-and-control server hosted behind a bulletproof CDN, making tracking and takedown difficult. The exfiltration occurred over standard HTTPS requests, often disguised as telemetry or domain blocklist updates, a common communication pattern for ad blockers that allowed the malicious traffic to blend in seamlessly.

Investigators dubbed the campaign "PromptSnatcher" after finding a debug string in the obfuscated codebase that referenced the term alongside a version number (v2.1.4). The extensions employed anti-debugging tricks and delayed execution to evade automated review processes in the Chrome Web Store and Mozilla’s add-on review system.

Scope of the Data Breach

While the exact scale of stolen data remains unclear, MalExt Sentry estimates that over 180 million individual prompt-and-response pairs were harvested during the campaign’s active period, which dates back to at least February 2026. The exposed metadata could readily link these conversations to specific user identities, enabling targeted phishing, corporate espionage, or credential-stuffing attacks.

Particularly alarming is the theft of API tokens and session cookies. With these credentials, threat actors could impersonate victims to access paid AI services, potentially racking up charges or exfiltrating even more data from connected cloud storage and SaaS apps. Enterprise users relying on browser-based AI integrations for sensitive workflows—such as legal document review, code generation, or medical data analysis—face the most severe long-term risks.

Extension Store Responses and User Recommendations

Within hours of receiving MalExt Sentry’s disclosure, both Google and Mozilla removed Smart Adblocker and Adblock for Browser from their official stores. Mozilla’s add-on team also triggered a forcible removal from all Firefox installations where the extensions were active, a rare and aggressive mitigation indicating the severity of the threat. Google issued a targeted Chrome update that automatically disabled the extensions and prompted users to remove them.

MalExt Sentry urges anyone who installed either extension to immediately change passwords on any AI service accessed while the extension was active, revoke all API tokens, and monitor accounts for unusual activity. For enterprise administrators, the report recommends deploying endpoint detection tools to scan for residual artifacts and implementing group policies to block future installations of unvetted add-ons.

The Broader Context: Extension Supply Chain Risks

This incident underscores a troubling vulnerability in the browser extension ecosystem. Legitimate ad blockers rely on broad permissions to inspect and modify network requests, making them an ideal disguise for data-harvesting malware. Even when reviews catch malicious code, extensions can be updated silently through an auto-update mechanism, potentially transforming a clean install into a trojan horse overnight.

Security experts have long warned about the over-permissive nature of extension APIs. Chrome’s Manifest V3, designed in part to curtail such abuse, limits network request modification and background scripting—yet these latest breaches demonstrate that determined attackers can still find creative bypasses. The extensions in question used declarative net request rules to conceal their exfiltration while also injecting content scripts that fell within current content security policy boundaries.

What Users Should Do Now

Beyond the immediate remediation steps, this event offers critical lessons for everyday AI users:

  • Audit your extensions regularly. Remove any extension that requests excessive permissions, especially access to data on all websites or the ability to read and change your browsing history.
  • Prefer native AI apps or official browser isolates. Accessing AI tools through a dedicated desktop app or a separate browser profile without extensions significantly reduces the attack surface.
  • Scrutinize extension developers. Check the publisher’s history and reviews. Both Smart Adblocker and Adblock for Browser came from relatively new developer accounts with sparse histories—a red flag in hindsight.
  • Leverage enterprise policies. Organizations should enforce an allowlist of vetted extensions and use tools like Microsoft Edge’s extension management via Group Policy or Chrome Browser Cloud Management.

Industry Response and Future Safeguards

The security community has responded with calls for mandatory code obfuscation limits and real-time behavioral monitoring in extension stores. MalExt Sentry’s report includes recommendations for store operators: require extensions to submit complete source code, implement canary-update detection systems, and offer users a way to view a human-readable diff of extension updates before accepting them.

Mozilla acknowledged the incident in a blog post, stating it is accelerating its adoption of an updated review system that uses machine learning to flag suspicious network patterns before an extension goes live. Google, for its part, said it is investing in automated dynamic analysis that simulates user behaviors to catch data exfiltration in testing environments—though no timeline was provided.

The Long Shadow of PromptSnatcher

The PromptSnatcher campaign will likely influence how both individuals and enterprises approach browser-based AI interactions. As AI becomes a daily productivity tool, the privacy of prompts—often containing proprietary business data, personal reflections, or creative works—must be treated with the same rigor as email and cloud storage.

For now, the millions of affected users are left to wonder where their data ended up and who might be reading their conversations. MalExt Sentry says it has shared indicators of compromise with law enforcement and major threat intelligence platforms, though attribution remains elusive. The infrastructure used in the campaign was rented from a reseller with weak identity checks, and the perpetrators took advantage of privacy-focused domain registrars to obscure ownership.

What’s certain is that the line between utility and espionage has never been thinner. As one MalExt Sentry analyst put it: “When an ad blocker steals your AI prompts, it’s not blocking ads—it’s blocking your privacy.”