Skip to content
Security & Trust

PromptSnatcher Malware Steals AI Chatbot Conversations in Real Time. Your Claude and ChatGPT Sessions Are Being Exfiltrated.

A new malware family harvests complete conversation histories from Claude, ChatGPT, Gemini, Copilot, and Perplexity by hooking browser API calls. Unlike keyloggers, PromptSnatcher captures the AI's responses too — including code reviews, security analyses, and strategic recommendations. The intellectual property loss is exponential.

· 5 min read
Share on X LinkedIn
PromptSnatcher Malware Steals AI Chatbot Conversations in Real Time. Your Claude and ChatGPT Sessions Are Being Exfiltrated.

Beyond Keylogging: Stealing the AI's Answers

PromptSnatcher is a new malware family documented by multiple security researchers in June 2026. Unlike traditional keyloggers that capture what users type, PromptSnatcher hooks browser API calls to intercept complete AI chatbot conversations — including the AI's responses. When a developer asks Claude Code to review a security architecture, PromptSnatcher captures the developer's question and Claude's detailed analysis of every vulnerability. When a CTO discusses acquisition strategy with ChatGPT, PromptSnatcher captures both the question and GPT's strategic recommendations.

The malware targets Claude (claude.ai), ChatGPT, Gemini, Microsoft Copilot, and Perplexity. It operates by monitoring WebSocket connections and API response streams in the browser, capturing the full bidirectional conversation. The exfiltrated data is sent to command-and-control infrastructure disguised as analytics telemetry. Because AI conversations often contain synthesized analysis rather than raw data, a single exfiltrated conversation can reveal more about an organization's strategy, vulnerabilities, and decision-making than months of traditional surveillance.

Claude, ChatGPT, Gemini, Copilot, Perplexity
Targeted platforms
Full conversation capture including AI responses.
Browser API hooks + WebSocket interception
Exfiltration method
Disguised as analytics telemetry.
Exponential vs keyloggers
Data exposure multiplier
AI responses synthesize analysis, code, and strategy beyond raw input.

Why AI Conversations Are Higher-Value Targets

A traditional keylogger on a developer's machine captures code they type, passwords they enter, and messages they send. A PromptSnatcher on the same machine captures those same inputs plus: the AI's analysis of the code's security vulnerabilities, the AI's suggestions for architectural improvements, the AI's generation of database schemas and API designs, and the AI's responses to questions about production infrastructure. The AI acts as an intellectual property amplifier — it takes the developer's partial knowledge and generates comprehensive documentation that an attacker could not have obtained through keylogging alone.

For enterprises using AI assistants for sensitive work — legal analysis, financial modeling, security auditing, competitive intelligence — PromptSnatcher represents a new category of data loss. The conversations are not just records of what was discussed. They are executable intelligence: code that works, strategies that are complete, analyses that identify specific weaknesses. An adversary with a PromptSnatcher deployment gains a real-time feed of their target's most sophisticated analytical work.

Defense Architecture

The defense against PromptSnatcher maps directly to web infrastructure decisions. Enterprise AI deployments accessed through managed browsers with endpoint detection (CrowdStrike, SentinelOne) can detect the API hooking behavior. AI APIs accessed through server-side code (FastAPI calling Claude's API directly) never expose conversations to the browser at all — there is nothing for PromptSnatcher to hook. Browser-based AI access through unmanaged devices with no endpoint protection is the maximum exposure scenario.

The framework-level implication: organizations building AI-powered features should use server-side API integration, not client-side browser-based AI chat. A FastAPI application calling Claude's API stores conversations in server-side logs with access controls, encryption, and audit trails. A web page embedding a chatbot widget processes conversations in the browser where PromptSnatcher can intercept them. The architecture that treats AI as a server-side capability is inherently more defensible than the architecture that treats AI as a browser feature.

Share this insight