Cybersecurity analysts are raising alarms after uncovering a widespread network of malicious browser extensions on the Google Chrome Web Store that covertly manipulate affiliate links, siphon sensitive browsing data, and steal authentication tokens linked to OpenAI’s ChatGPT service.
Affiliate Fraud Hidden Behind Useful Features
One of the most prominent examples is an extension called Amazon Ads Blocker, published in January 2026 by an entity using the name “10Xprofit.” Marketed as a tool to remove sponsored listings from Amazon, the extension does perform basic ad blocking. However, investigators found that its core purpose lies elsewhere.
According to security researchers, the add-on silently injects the developer’s own affiliate identifier into every Amazon product URL a user visits. In doing so, it replaces existing affiliate codes embedded by bloggers, reviewers, and social media creators—effectively diverting commissions without the user’s knowledge.
Further investigation revealed that this extension is just one component of a much larger ecosystem. At least 29 related Chrome extensions were identified, many of them branded as shopping utilities, seller tools, or image search helpers. These add-ons target major e-commerce platforms including Amazon, AliExpress, Walmart, Best Buy, Shein, and Shopify.
Policy Violations and Misleading Disclosures
Google’s Chrome Web Store policies require transparency when affiliate programs are used. Extensions must clearly explain how links are modified, require explicit user interaction, and are prohibited from overwriting existing affiliate tags. Researchers found that the identified extensions violate all three requirements.
The public descriptions often framed the tools as coupon or deal helpers that generate “small commissions,” while the underlying code automatically altered links in the background. Analysts described this mismatch as deceptive, noting that users never meaningfully consented to how the extensions operated.
In several cases, the extensions also bundled unrelated functions—such as ad blocking combined with affiliate injection—contravening Google’s “single-purpose” design rules.
Data Exfiltration and Manipulative Tactics
Beyond affiliate abuse, some of the extensions were observed collecting product and browsing data and transmitting it to external servers controlled by the operators. Add-ons focused on AliExpress reportedly displayed fake countdown timers and “limited-time deal” banners to pressure users into making purchases, further increasing affiliate revenue.
Security experts warn that extensions mixing shopping features with hidden monetization logic should be considered high-risk, especially when disclosures fail to match technical behavior.
Separate Campaigns Target Data and AI Accounts
The affiliate scheme was disclosed alongside other extension-based threats. Researchers highlighted four additional Chrome extensions—collectively installed by more than 100,000 users—that were designed to harvest clipboard contents, collect cookies, manipulate search results, or exploit known vulnerabilities in third-party plugins.
More concerning for enterprises is a separate cluster of 16 browser add-ons masquerading as productivity tools for ChatGPT. These extensions injected scripts directly into ChatGPT web sessions to intercept authentication tokens. Possession of such tokens allows attackers to impersonate users, access chat histories, and potentially extract sensitive conversations, code snippets, or business data.
Investigators believe these ChatGPT-related extensions were part of a coordinated campaign, citing shared code, branding, and feature sets.
Browsers Emerge as a Prime Attack Surface
The findings underscore a broader trend: browsers are becoming one of the most attractive attack vectors for cybercriminals. Extensions often require elevated permissions and operate continuously, making them ideal for stealthy, persistent access.
This shift is further reinforced by the recent emergence of a malware-as-a-service toolkit that enables criminals to build malicious Chrome extensions capable of displaying phishing pages while keeping legitimate URLs visible in the address bar. Although that service appears to have gone offline after public exposure, researchers caution that similar offerings are likely to reappear.
What Users and Organizations Should Do
Security professionals advise users to scrutinize extension permissions, review developer credibility, and remove add-ons that are no longer essential. Organizations, particularly those using AI tools in daily workflows, should treat browser extensions as part of their endpoint security posture and monitor them accordingly.
As researchers emphasize, even extensions downloaded from trusted marketplaces can pose significant risks when trust is abused—and the consequences can range from lost revenue to full account compromise.
