Hey everyone, I saw this report on Hacker News, about a pretty serious privacy breach involving the Urban VPN Proxy browser extension and several other extensions from the same publisher.

According to the research:

• The extensions inject hidden scripts into AI chat services (like ChatGPT, Claude, Gemini, etc.) and intercept every prompt and response.

• This captured data - including conversation content, timestamps, and session metadata - is sent back to Urban VPN’s servers, even if the VPN is turned off.

• Users can’t opt out of this collection; the only way to stop it is to uninstall the extension.

• The feature was silently added via an auto-update in July 2025, so many users may not have realized anything changed.

• Total installs across affected extensions exceed 8 million.

What’s especially concerning is that Urban VPN advertises an “AI protection” feature, but that doesn’t prevent data harvesting - the extension just warns you about sharing data while quietly exfiltrating it.

If you’ve ever used this extension and chatted with an AI, it’s worth uninstalling it and treating those interactions as compromised.

Link to the report:
https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection

Would love to hear thoughts on this.