ExporTheft: 11 exporters where Export means Upload
14-07-2026 Analysis of the AI Chat Exporter extension family (Neo Cortex LLC)
Extensions list : https://malext.io/?q=ExporTheft
Platform Indicators
| Field | Value |
|---|---|
| Extension ID | dhjbkabkopajddjinfdlooppcajoclag |
| Extension Name | AI Chat Exporter - ChatGPT, Claude, Gemini & DeepSeek to PDF |
| Developer | Neo Cortex LLC (neocortexai[.]in) |
| Total Affected Users | ~5512 |
| Store Link | hxxps://chromewebstore[.]google[.]com/detail/ai-chat-exporter-export-a/dhjbkabkopajddjinfdlooppcajoclag |
| Version Analyzed | 1.1.2 |
| Backend | hxxps://ai-chat-exporter-api-792277256340[.]northamerica-south1[.]run[.]app |
| GCP Project | 792277256340 |
Campaign: 11 extensions, one codebase. Each is a per-platform rebrand with its own backend of the form ai-chat-exporter-api-<suffix>792277256340[.]northamerica-south1[.]run[.]app.
| Extension ID | Name | Ver | Backend suffix | <all_urls> |
|---|---|---|---|---|
| dhjbkabkopajddjinfdlooppcajoclag | AI Chat Exporter (main / multi) | 1.1.2 | (base, no suffix) | YES |
| poboebmiaakclneagfgfmbakpgcgdfii | ChatGPT to PDF | 1.0.7 | -chatgpt- | no |
| ndnjjjppaaiclfjlnopmnimhhiikkppk | Claude to PDF | 1.0.8 | -claude- | no |
| mmgbhlbbnlpcndmhgnghhembmincbibd | Gemini to PDF | 1.0.6 | -gemini- | no |
| lhgbhgflgoedbhlfbghcikonigcgiibo | Google AI Studio to PDF | 1.0.8 | -google-ai-studio- | no |
| ecmcbpjdknbbcfbohfcjjilgkgclgdbc | DeepSeek to PDF | 1.0.8 | -deepseek- | no |
| dpeabmlbmhjbokfijjcpcebgkgkjknkm | Venice AI to PDF | 1.0.8 | -venice- | no |
| djjnbpcgmddpabfghdolkifccdplpfkc | Grok to PDF | 1.0.10 | -grok- | no |
| ejhhhokbkmlibaeoepkohaflgaohpmeg | GitHub Copilot to PDF | 1.0.8 | -github-copilot- | no |
| nghpoklfiggkdemkmgllkaaiemggmdao | Microsoft Copilot to PDF | 1.0.8 | -microsoft-copilot- | no |
| imicnaojoabefckkfhailgkllodbnjjf | Perplexity Chat Exporter | 1.0.8 | -perplexity- | no |
Eleven Chrome extensions share one "AI Chat Exporter" codebase, each branded for a different AI platform and advertised as a private, on-device tool for saving AI chats as PDF, Markdown, Text, or JSON. In the versions tested, the default PDF export uploads the full conversation to the developer's server instead of building the file locally, the "local" text exports send the chat title and page URL to the same server, and every request carries a tracking ID that persists across the user's devices. None of this is shown to the user at export time. The findings below are the author's observations from the specific versions listed; this report does not claim to know the developer's intent or allege any law was broken (see Disclaimer).
Bundle structure
A plain (non-minified) MV3 bundle. The parts that matter:
- Content scripts that read the conversation from each AI site (content/shared.js and per-platform files).
- Local exporters for Markdown / Text / JSON and a fallback in-browser PDF renderer.
- The telemetry layer (services/subscriptionService.js) and the background worker (background.js) that send data to the backend.
Advertised functionality
The extension reads the on-screen conversation and can save it as Markdown, Text, or JSON in the browser. It offers optional cloud upload to Google Drive, Dropbox, Notion, and Yandex, each behind an OAuth prompt, and a paid tier with a daily export limit via Stripe. This is a normal fit for an "export my chats" tool.
Undisclosed behavior: conversation content sent to the backend
PDF export uploads the whole chat. In content/shared.js, genericExportToPDF copies the full conversation into one HTML document and hands it to the background worker (action: 'generate_pdf'). background.js handleGeneratePdf (line 367) POSTs it to /api/pdf-html via SubscriptionService.generatePdf (services/subscriptionService.js:285). The server render is tried first; the in-browser render is only a fallback. During export the UI shows only a "Generating High-Performance PDF..." toast, with no indication the chat leaves the device.
A request captured in a local sandbox with a test Gemini account matched this exactly: the upload held the full test conversation plus the page URL and conversation ID (hxxps://gemini[.]google[.]com/app/dfd5e810168342dc?hl=fr). The capture is retained as an exhibit.
A full local PDF renderer is bundled but used only as a fallback. The extension already ships everything needed to build the PDF on the device: lib/html2pdf.bundle.min.js (a ~906 KB bundled library) loaded by content/renderer.html, driven by content/renderer.js in an isolated iframe. In genericExportToPDF this local path runs only inside the catch block, after the server upload is attempted and only if it throws (content/shared.js:868-878). There is no setting to prefer local rendering and no opt-out; the server upload is attempted unconditionally on every PDF export. In other words, on-device generation is fully possible with code the extension already contains, so uploading the conversation is a design choice rather than a technical requirement.
"Local" exports also send data. recordExport (services/subscriptionService.js:256) sends POST /api/usage with the title, filename, format, and source URL on each Markdown/Text/JSON export. A source comment notes its errors are hidden "to prevent extension error badges."
A persistent ID is attached to every request. Requests carry an X-Client-ID header, a UUID generated once and saved via chrome.storage.sync (services/subscriptionService.js:15-27). Because the code uses the sync API rather than storage.local, Chrome automatically propagates this ID to every other desktop or laptop where the user is signed into the same Chrome profile. The same identifier therefore rides along with exports from any of the user's machines, which lets the backend link them into a single cross-device profile of that user's chat exports. The server keeps a per-ID export history (GET/DELETE /api/history).
Broad permission (main variant only). The main extension (dhjbka...) also requests <all_urls> and includes a fetch proxy (background.js:201) that can send requests to any URL with the user's cookies (line 207). The author did not see this used for the upload behavior above and notes it as a present but unused capability. The other ten variants do not request <all_urls>.
In the author's view this matters because AI chats can contain sensitive material (credentials, source code, personal, medical, or legal information), and a user selecting "export" may not realize the conversation is sent to a server.


Why the consent framing does not matter
There is no export-time consent prompt in the tested versions. The only disclosure is the privacy policy, which does not match the observed behavior:
- Policy: PDF generation is "processed in-memory and never stored." It never says where. Observed: the chat is sent to the server. (The author can't verify the server-side "never stored" claim and takes no position on it.)
- Policy: standard exports are "processed entirely inside your browser." Observed: they also send the
/api/usagerequest. - Policy: export metadata "does NOT include chat content." Observed: the title is auto-generated from the user's first message, so it can contain conversation text.
- Policy: the Client ID is "stored locally." Observed: it is stored in Chrome sync and sent to the server on every request.
Whether these gaps break Chrome Web Store rules is for Google and the developer to decide.
Infrastructure
*-792277256340[.]northamerica-south1[.]run[.]app: eleven Cloud Run backends, one per extension, all under Google Cloud project 792277256340. Endpoints seen:/api/pdf-html(receives the chat HTML),/api/usage(export beacon),/api/subscription,/api/quota,/api/checkout,/api/activate-license,/api/history.- neocortexai[.]in: developer site and support contact.
- Optional, OAuth-gated cloud upload uses googleapis[.]com (Drive), content.dropboxapi[.]com (Dropbox), api.notion[.]com (Notion), cloud-api.yandex[.]net (Yandex). These are opt-in and not part of the behavior above.
- The shared code and shared project number strongly indicate a common origin; this is inferred from technical indicators, not from any ownership record.
MITRE ATT&CK mapping
These map the observed technique to ATT&CK for SOC triage. They describe how the behavior works, not the developer's intent.
| Tactic | Technique | How it maps |
|---|---|---|
| Collection | T1119 Automated Collection | genericExportToPDF reads the full conversation DOM into one document on each export (content/shared.js). |
| Exfiltration | T1567 Exfiltration Over Web Service | The conversation HTML is POSTed to the /api/pdf-html Cloud Run endpoint; export metadata is sent to /api/usage. |
| Collection | T1185 Browser Session Hijacking | Main variant only: the background fetch proxy can issue requests with credentials: 'include' (background.js:207), reusing the user's active session. Noted as a present capability; not observed in the upload path. |
Two notes on ID choice for teams cross-referencing: T1567 (Exfiltration Over Web Service) fits better than T1041 (Exfiltration Over C2 Channel) because the destination is an ordinary HTTPS web API on Cloud Run, not a bespoke command-and-control channel. And T1185 fits the fetch-proxy capability better than T1539 (Steal Web Session Cookie), because the code attaches existing cookies to outbound requests rather than reading or stealing cookie values (it cannot read HttpOnly cookies via fetch).
Detection and network defense
Egress to any of the eleven backends is a high-confidence indicator, since the hostname pattern is used only by this extension family.
Hostname regex (matches the no-suffix main host and all per-platform variants):
^ai-chat-exporter-api-([a-z-]+-)?792277256340\.northamerica-south1\.run\.app$
Note: the leading ai-chat-exporter-api- and the - before the project number are both literal in every observed host (e.g. ai-chat-exporter-api-792277256340... and ai-chat-exporter-api-chatgpt-792277256340...), so the optional group must carry its own trailing hyphen as above. A pattern that omits the hyphen before 792277256340 will not match any live host.
Suricata (TLS SNI; defanged, refang [.] to . and pick a non-colliding sid before use):
alert tls any any -> any any (msg:"ExporTheft AI chat exporter backend egress"; \
tls.sni; content:"ai-chat-exporter-api"; startswith; \
content:"792277256340[.]northamerica-south1[.]run[.]app"; \
classtype:policy-violation; sid:1000001; rev:1;)
DNS/proxy blocklist (exact hosts, defanged; refang [.] to . before use):
ai-chat-exporter-api-792277256340[.]northamerica-south1[.]run[.]app
ai-chat-exporter-api-chatgpt-792277256340[.]northamerica-south1[.]run[.]app
ai-chat-exporter-api-claude-792277256340[.]northamerica-south1[.]run[.]app
ai-chat-exporter-api-gemini-792277256340[.]northamerica-south1[.]run[.]app
ai-chat-exporter-api-google-ai-studio-792277256340[.]northamerica-south1[.]run[.]app
ai-chat-exporter-api-deepseek-792277256340[.]northamerica-south1[.]run[.]app
ai-chat-exporter-api-venice-792277256340[.]northamerica-south1[.]run[.]app
ai-chat-exporter-api-grok-792277256340[.]northamerica-south1[.]run[.]app
ai-chat-exporter-api-github-copilot-792277256340[.]northamerica-south1[.]run[.]app
ai-chat-exporter-api-microsoft-copilot-792277256340[.]northamerica-south1[.]run[.]app
ai-chat-exporter-api-perplexity-792277256340[.]northamerica-south1[.]run[.]app
Extension-ID blocklist for managed Chrome (ExtensionInstallBlocklist): the eleven IDs in the table above.
Summary
Eleven Chrome extensions sharing one "AI Chat Exporter" codebase present as on-device chat exporters. In the versions tested, the default PDF export was observed to send full conversation content to Cloud Run backends run on the extensions' behalf, "local" exports were observed to send the chat title and source URL, and each request carried a synced tracking ID. The author observed no export-time notice, and the published privacy policy does not state that chat content is sent off the device. Findings are limited to the tested versions and are the author's technical observations and opinion, not a legal conclusion.
Disclaimer
This report is for security-research and responsible-disclosure purposes. It reflects good-faith analysis of publicly available extension code and of network traffic generated on the author's own device and test accounts, for the specific versions and date listed. Factual statements are anchored to the cited source files and a retained request capture and are reproducible from them. Statements about risk or significance are the author's opinion. This report does not state what the developer intended, does not accuse anyone of a crime, and does not assert that any law or contract was broken. Company and product names are used only for identification. The author has no relationship with the developer and will review specific, documented corrections. This is not legal advice.
Research by Jean-Marie R. (Toborrm9) | Malicious Extension Sentry Project | July 14, 2026