Chrome extension disguised as AI assistant expose 10K+ users OpenAI API keys

A Chrome browser extension posing as an artificial intelligence assistant is siphoning OpenAI credentials from more than 10,000 users and sending them to third-party servers. 

Cybersecurity platform Obsidian has identified a browser extension called H-Chat Assistant that reportedly masquerades as a tool that connects people to OpenAI’s chatbot services.

The researchers claim it secretly harvested OpenAI API keys and transmitted user data to external servers, putting their account security and data privacy at risk. It had exfiltrated at least 459 unique API keys to a Telegram channel controlled by hackers months before its discovery.

Chrome extension poses privacy and security risks to OpenAI users

According to Obsidian Security, the software was initially released under the name ChatGPT Extension before being rebranded as H-Chat Assistant. Users who installed the extension were asked to supply their own OpenAI API key to activate chatbot features. 

After receiving the key, the extension largely functioned as advertised, enabling conversations with AI models directly in the browser. That apparent legitimacy convinced users to trust the web feature, but according to the security analysis team, there were hidden data flows in the background.

“Although these extensions are not actively exfiltrating API keys, user prompts, and other data are being quietly sent to third-party/external servers. Several of the extensions impersonate ChatGPT, creating a false sense of trust that conversations and data are only being transmitted to OpenAI,” the analysts explained.

However, Obsidian said the actual theft takes place when a user deletes a chat or chooses to log out of the application. At that moment, the key is transmitted using hardcoded Telegram bot credentials embedded in the extension’s code.

H-Chat Assistant was also requesting read and write permissions for Google’s services, which investigators believe could expose data stored in victims’ Google Drive accounts. 

Obsidian’s security researchers believe the malicious activity began in July 2024 and went unnoticed for months, while users continued installing and using the tool. On January 13, 2025, they discovered the activity and reported it to OpenAI through disclosure channels. 

That same day, OpenAI revoked compromised API keys to cut down the app’s misuse. Even after the disclosure and revocations, the extension was still available in the Chrome Web Store, according to Obsidian’s report. 

H-Chat Assistant is part of a malicious toolset 

At least 16 Chrome extensions promising AI-related productivity enhancements appear to share the same developer fingerprints. These tools are believed to have been built by a single threat actor who is harvesting credentials and session data. 

According to findings cited by researchers, the 16 extensions’ downloads were relatively low, totaling about 900 installations. Still, analysts say the tactic is concerning because of its scalability and the popularity of AI add-ons on browsers.

“GPT Optimizers are popular, and there are enough highly-rated, legitimate ones on the Chrome Web Store that people could easily miss any warning signs. One of the variants has a featured logo that states it follows recommended practices for Chrome extensions,” LayerX Security consultant Natalie Zargarov wrote in a report published on Monday.

Zargarov added that these extensions require a deep integration with authenticated web applications to launch a “materially expanded browser attack surface.” The malicious extensions exploit weaknesses in web-based authentication processes used by ChatGPT-related services.

“Of the 16 identified extensions in this campaign, 15 were distributed through the Chrome Web Store, while one extension was published via the Microsoft Edge Add-ons marketplace,” the researcher explained.

Extension sends metadata and client identifiers, researcher finds

In her analysis, the LayerX consultant found that the extensions were sending more information than just API keys. The extension transmitted extension metadata, including version details, language settings, and client identifiers.

It also sent usage telemetry, event data, and backend-issued access tokens tied to the extension’s services. These combined data points enable attackers to expand token privileges, track users in sessions, and build behavioral profiles. 

Zargarov noted that downloads were small compared with GhostPoster, which surpassed 830,000 installations, and Roly Poly VPN, which exceeded 31,000. Still, she cautioned that AI-focused tools could quickly surge in popularity. 

“It just takes one iteration for a malicious extension to become popular. We believe that GPT optimizers will soon become as popular as (not more than) VPN extensions,” she wrote.

If you're reading this, you’re already ahead. Stay there with our newsletter.