🎯 AI
===================

Executive summary: Urban VPN Proxy, a Chrome extension with over 6 million users, was observed harvesting AI chat data across multiple platforms. The extension injects platform-specific executor scripts, overrides core browser network APIs, and forwards captured conversations to Urban VPN infrastructure.

Technical details:
• The extension deploys dedicated executor scripts (examples: chatgpt.js, claude.js, gemini.js) when targeted AI platform pages load.
• Injected code wraps and overrides fetch and XMLHttpRequest so all request and response payloads for the page flow through the extension first.
• Extracted fields include user prompts, model responses, conversation IDs, timestamps, session metadata, and the specific AI platform/model used.
• Inter-script messaging uses window.postMessage with an identifier PANELOS_MESSAGE to pass parsed data to the extension content script.
• The content script forwards packaged, compressed data to the background service worker, which transmits to endpoints such as analytics.urban-vpn.com and stats.urban-vpn.com.

Analysis:
• The approach is highly invasive: overriding fetch/XMLHttpRequest captures both outgoing prompts and incoming model outputs before rendering, exposing full conversation context.
• Harvesting is independent of VPN functionality and enabled by hardcoded flags with no user-visible opt-out, increasing exposure risk for users who installed the extension for privacy reasons.

Detection guidance:
• Monitor outbound connections to analytics.urban-vpn.com and stats.urban-vpn.com from browser processes.
• Inspect loaded extension scripts for executor filenames and for patterns overriding fetch/XMLHttpRequest and using window.postMessage with PANELOS_MESSAGE.

Limitations:
• Public reporting indicates the extension targeted ten AI platforms; specific historical timeline details were not fully enumerated in the source.
• No CVE identifiers or named threat actor attribution were provided in the disclosed findings.

References / Tags:
chatgpt.js, claude.js, PANELOS_MESSAGE, analytics.urban-vpn.com

🔹 ai #privacy #browser_extension #data_exfiltration

🔗 Source: https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection

Ransomware Attacks Focus on Data Exfiltration Over Encryption - https://www.redpacketsecurity.com/only-a-fifth-of-ransomware-attacks-now-encrypt-data/

#threatintel #cybersecurity #ransomware #data_exfiltration

Chemical Facilities Warned of Possible Data Exfiltration Following CISA Breach - https://www.redpacketsecurity.com/chemical-facilities-warned-of-possible-data-exfiltration-following-cisa-breach/

#threatintel #cybersecurity_breach #data_exfiltration #chemical_security

Russian Coldriver Hackers Deploy Malware to Target Western Officials - https://www.redpacketsecurity.com/russian-coldriver-hackers-deploy-malware-to-target-western-officials/

#threatintel #Coldriver_malware #Russian_threat_group #Data_exfiltration