PromptSnatcher: The Adblockers That Were Reading Every AI Conversation You Had

The same week JetBrains pulled fifteen plugins stealing AI API keys from developer IDEs, two Chrome extensions with a combined 100,000 users were caught doing something narrower but in some ways more invasive: reading every AI conversation you had. Not the API key. The actual conversation.

The campaign is being tracked as PromptSnatcher. The delivery mechanism was two adblocker extensions — Smart Adblocker (100,000 users, published October 2022) and Adblock for Browser (10,000 users, published August 2023) — that used legitimate filter lists as functional cover while a separate interception engine captured everything typed into and returned from ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI.

What was captured

The extensions built a custom interception layer that sat between the browser and the AI platform interfaces. When a user typed a prompt, the extension captured it. When the model responded, the extension captured that too. The exfiltrated data included the full conversation history, the model the user was running, and the subscription tier on the account — which tells the attacker not just what was discussed but what the user paid for and what capabilities they had access to.

The adblocker function worked correctly. EasyList and IDCAC (I Don't Care About Cookies) filter lists were bundled and applied normally. A user installing Smart Adblocker to block ads would have found it blocked ads, while a separate process in the extension read their Claude conversations.

Why this is different from a key theft

The JetBrains campaign we wrote about separately targeted AI API keys — the credential that lets someone run inference on your dime. PromptSnatcher targeted the conversations themselves. That distinction matters.

An API key can be rotated. A conversation cannot be unshared. If you used an AI assistant to review a legal document, draft acquisition terms, debug proprietary code, discuss a medical situation, or write anything you considered private — and you had one of these extensions installed — that conversation was transmitted to the attacker's infrastructure. There is no remediation step that undoes that. Rotation does not apply. The only question is what was done with the data.

The extension IDs are iojpcjjdfhlcbgjnpngcmaojmlokmeii (Smart Adblocker) and jcbjcocinigpbgfpnhlpagidbmlngnnn (Adblock for Browser). Both are indexed in our corpus as of this morning.

The pattern this fits

Two campaigns disclosed within days of each other, both targeting AI tooling, both using legitimate-appearing utilities as cover. The JetBrains plugins functioned as AI coding assistants. The Chrome extensions functioned as adblockers. In both cases the legitimate function was real — the malicious function ran alongside it, invisible.

This is a maturation of supply chain tactics applied specifically to the AI layer. Prior campaigns (Mastra npm, Phantom Gyp, Shai-Hulud) targeted the infrastructure AI agents depend on. These two campaigns target the human side of AI use: the keys developers type into their tools, and the conversations users have with their AI assistants. The attack surface has moved from the build system to the developer's hands to the conversation itself.

The subscription tier data captured by PromptSnatcher is worth dwelling on. Knowing a target has a Claude Pro or ChatGPT Plus subscription tells an attacker that this is a heavy AI user — someone who relies on it for real work. That user's conversation history is likely to contain more sensitive material than a casual user's. The campaign was not indiscriminate; it was fishing for people who use AI for things that matter.

What to do

Check your Chrome extensions for Smart Adblocker and Adblock for Browser by the IDs above. If either was installed, the conversation history from every AI platform you used while they were active should be considered exfiltrated. The appropriate response depends on what you discussed: at minimum, review the scope and notify anyone whose information appeared in those conversations.

For forward posture: treat browser extensions as having the same access model as installed software. An extension that can read any webpage can read your AI conversations. The number of people running privacy-conscious adblockers while simultaneously having detailed conversations with AI assistants about sensitive topics is large enough to make this a viable target. The attacker apparently agreed.

We are at 95 percent on the attribution to this specific campaign. Who operated it and what was done with the conversation data remains uncharacterized.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register