🎯 AI
===================

Executive summary: Urban VPN Proxy, a Chrome extension with over 6 million users, was observed harvesting AI chat data across multiple platforms. The extension injects platform-specific executor scripts, overrides core browser network APIs, and forwards captured conversations to Urban VPN infrastructure.

Technical details:
• The extension deploys dedicated executor scripts (examples: chatgpt.js, claude.js, gemini.js) when targeted AI platform pages load.
• Injected code wraps and overrides fetch and XMLHttpRequest so all request and response payloads for the page flow through the extension first.
• Extracted fields include user prompts, model responses, conversation IDs, timestamps, session metadata, and the specific AI platform/model used.
• Inter-script messaging uses window.postMessage with an identifier PANELOS_MESSAGE to pass parsed data to the extension content script.
• The content script forwards packaged, compressed data to the background service worker, which transmits to endpoints such as analytics.urban-vpn.com and stats.urban-vpn.com.

Analysis:
• The approach is highly invasive: overriding fetch/XMLHttpRequest captures both outgoing prompts and incoming model outputs before rendering, exposing full conversation context.
• Harvesting is independent of VPN functionality and enabled by hardcoded flags with no user-visible opt-out, increasing exposure risk for users who installed the extension for privacy reasons.

Detection guidance:
• Monitor outbound connections to analytics.urban-vpn.com and stats.urban-vpn.com from browser processes.
• Inspect loaded extension scripts for executor filenames and for patterns overriding fetch/XMLHttpRequest and using window.postMessage with PANELOS_MESSAGE.

Limitations:
• Public reporting indicates the extension targeted ten AI platforms; specific historical timeline details were not fully enumerated in the source.
• No CVE identifiers or named threat actor attribution were provided in the disclosed findings.

References / Tags:
chatgpt.js, claude.js, PANELOS_MESSAGE, analytics.urban-vpn.com

🔹 ai #privacy #browser_extension #data_exfiltration

🔗 Source: https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection

📢 Abus de Microsoft Power Automate : exfiltration de données et persistance via des flux légitimes
📝 Selon Trend Micro, des cybercriminels et act...
📖 cyberveille : https://cyberveille.ch/posts/2025-09-08-abus-de-microsoft-power-automate-exfiltration-de-donnees-et-persistance-via-des-flux-legitimes/
🌐 source : https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/complexity-and-visibility-gaps-in-power-automate
#Data_Exfiltration #Living_off_the_Land #Cyberveille

📢 Analyse des tactiques d'attaque sur SharePoint Online dans Microsoft 365
📝 Cet article publié par Guardz analyse une **méthodologie d'attaque** ciblant **SharePoint Online** dans les environnements *...
📖 cyberveille : https://cyberveille.ch/posts/2025-08-07-analyse-des-tactiques-d-attaque-sur-sharepoint-online-dans-microsoft-365/
🌐 source : https://guardz.com/blog/adversary-tactics-and-exploitation-paths-in-sharepoint-online/
#Cloud_Security #Data_Exfiltration #Cyberveille

Ransomware Attacks Focus on Data Exfiltration Over Encryption - https://www.redpacketsecurity.com/only-a-fifth-of-ransomware-attacks-now-encrypt-data/

#threatintel #cybersecurity #ransomware #data_exfiltration

Chemical Facilities Warned of Possible Data Exfiltration Following CISA Breach - https://www.redpacketsecurity.com/chemical-facilities-warned-of-possible-data-exfiltration-following-cisa-breach/

#threatintel #cybersecurity_breach #data_exfiltration #chemical_security

Russian Coldriver Hackers Deploy Malware to Target Western Officials - https://www.redpacketsecurity.com/russian-coldriver-hackers-deploy-malware-to-target-western-officials/

#threatintel #Coldriver_malware #Russian_threat_group #Data_exfiltration