Microsoft Defender disclosed an active campaign: Chromium browser extensions impersonating legitimate AI assistant tools — including AITOPIA — harvesting LLM chat histories and browsing data from platforms like ChatGPT and DeepSeek. The campaign reached approximately 900,000 installations, with confirmed activity across more than 20,000 enterprise tenants.
The critical technical point: some agentic browsers automatically installed these malicious extensions without explicit user approval — because the names and descriptions appeared legitimate. Once installed, an extension gains full access to LLM chat history, including internal code, workflows, and strategic discussions the user assumed were private.
Blast radius: any enterprise that allows AI agents to autonomously manage browser extensions may be enabling those agents to expand their own attack surface. The 20,000-tenant figure reflects the organizational scale of the problem — this isn't a consumer incident.
Immediate recommendation: Define explicit allowlist policies for browser extensions in enterprise environments. Ensure AI agents cannot install extensions without explicit human approval. Review Microsoft Defender alerts for the campaign's IOC list.