A SecurityWeek report dated 27 January 2026 reveals that 16 browser extensions have been created to steal ChatGPT sessions and have been published on the official Chrome Web Store and Microsoft Edge Add-ons marketplace. Marketed as ChatGPT enhancement and productivity tools, the extensions have a combined download count of over 900 and were still available on the marketplaces as of 26 January, according to LayerX.
The extensions are designed to intercept users’ ChatGPT session authentication tokens by injecting a content script into chatgpt[.]com and executing in the MAIN JavaScript world, then exfiltrating the tokens and related data to a remote server. This enables the operator to authenticate to ChatGPT services with the victim’s active session and access history chats and connectors, with LayerX noting that the data also supports persistent access and behavioural profiling.
Based on shared code and branding cues, LayerX says a single threat actor is behind all 16 extensions, emphasising that such techniques can evade traditional endpoint or network security controls.