Cybersecurity Alert: 29 Malicious Chrome Extensions Hijack Affiliate Links and Steal Data

A new wave of malicious Google Chrome extensions has been uncovered, exposing millions of users to serious privacy and financial risks. Cybersecurity researchers have identified 29 browser add-ons that appear legitimate but secretly hijack affiliate links, steal user data, and even intercept OpenAI ChatGPT authentication tokens.

The Affiliate Hijacking Scam

One of the most prominent offenders is the Amazon Ads Blocker extension, which promises to remove sponsored content from Amazon but instead injects the developer’s affiliate tag into every product link. This means that when users click on Amazon links, the commission goes to the attacker instead of the original content creator.

Socket security researcher Kush Pandya explained: “The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer’s affiliate tag into every Amazon product link and replaces existing affiliate codes from content creators.”

This scam affects multiple e-commerce platforms including AliExpress, Best Buy, SHEIN, Shopify, and Walmart. The 29 malicious extensions form a coordinated network designed to steal commissions from legitimate affiliate marketers and content creators.

Data Theft and Privacy Violations

Beyond affiliate hijacking, these extensions engage in extensive data collection. They scrape product information and exfiltrate it to external servers controlled by the attackers. Some extensions targeting AliExpress even display fake “LIMITED TIME DEAL” countdown timers to create artificial urgency and pressure users into making purchases.

The extensions violate Chrome Web Store policies in multiple ways:

• They don’t accurately disclose how affiliate programs work
• They inject affiliate codes without requiring user action
• They replace existing affiliate codes from legitimate creators
• They combine unrelated functions (ad blocking and affiliate injection) that should be separate extensions

ChatGPT Token Theft Campaign

In a separate but equally concerning discovery, security researchers found 16 malicious extensions designed to steal ChatGPT authentication tokens. These extensions, downloaded approximately 900 times, claim to offer useful ChatGPT features like voice downloads, prompt management, and chat organization.

However, they secretly inject content scripts into chat.openai.com to intercept and steal user authentication tokens. LayerX security researcher Natalie Zargarov warned: “Possession of such tokens provides account-level access equivalent to that of the user, including access to conversation history and metadata. As a result, attackers can replicate the users’ access credentials to ChatGPT and impersonate them.”

The Stanley Malware-as-a-Service Toolkit

Adding to the threat landscape, a new malware-as-a-service toolkit called Stanley has emerged on Russian cybercrime forums. Priced between $2,000 and $6,000, Stanley allows criminals to generate malicious Chrome extensions that can bypass Google’s vetting process and get approved for the Chrome Web Store.

Stanley’s most dangerous feature is its ability to display phishing pages within an HTML iframe while keeping the legitimate URL visible in the address bar. This creates a perfect visual deception that can fool even careful users into entering their credentials on fake login pages.

Varonis researcher Daniel Kelley noted: “BYOD policies, SaaS-first environments, and remote work have made the browser the new endpoint. Attackers have noticed. Malicious browser extensions are now a primary attack vector.”

The Growing Browser Extension Threat

The discovery of these malicious extensions highlights a critical security gap. As artificial intelligence tools become more integrated into enterprise workflows, browser extensions have become an attractive attack vector for cybercriminals. These extensions often require elevated browser permissions and access to sensitive data, making them ideal for persistent attacks that don’t trigger traditional security alarms.

Security experts warn that users should be extremely cautious when installing browser extensions, even from trusted sources. The combination of affiliate hijacking, data theft, and token interception demonstrates how seemingly harmless utilities can become powerful tools for cybercrime.

The Chrome Web Store and other browser extension marketplaces face increasing pressure to improve their vetting processes as attackers become more sophisticated in disguising malicious code within legitimate-looking applications.

Tags and Viral Phrases:

malicious Chrome extensions, affiliate hijacking, data theft, ChatGPT tokens, browser security, cybersecurity threat, Amazon Ads Blocker, 10xprofit, Chrome Web Store, malware-as-a-service, Stanley toolkit, phishing attacks, browser extensions, AI security, enterprise security, cybercrime, data exfiltration, affiliate marketing scam, browser vulnerability, extension malware, token theft, online shopping security, e-commerce fraud, browser endpoint security, malicious add-ons, cyber attack campaign, security researchers, user privacy, commission hijacking, fake deals, countdown timer scam, cross-site scripting, XSS vulnerability, security policies violation, user consent deception, single purpose policy, remote work security, BYOD risks, SaaS security, credential theft, iframe phishing, Russian cybercrime, dark web tools, security disclosure, vulnerability research, threat intelligence, malicious network, coordinated attack, browser permissions, persistent access, security blind spot, vigilant users, defensive deception, visual deception, security alarms, legitimate URL, full-screen overlay, note-taking utilities, innocuous appearance, premium tier, guaranteed approval, turnkey operation, website spoofing, endpoint security, primary attack vector, security gap, enterprise workflows, elevated execution context, lucrative attack vector, security flaws, alternative methods, user interaction, automatic modification, misleading disclosures, small commission claims, coupon extension, ad blocker functionality, product data scraping, external servers, attacker-controlled infrastructure, false urgency, rushed purchases, commission earning, social media creators, content creator impact, legitimate marketers, Chrome policies, accurate disclosure, user-triggered reveals, unrelated functionality, high-risk extensions, code behavior mismatch, security researcher, Broadcom Symantec, Good Tab, Children Protection, DPS Websafe, Stock Informer, clipboard permissions, cookie harvesting, JavaScript injection, default search manipulation, malicious redirects, cross-site vulnerability, CVE-2020-28707, CVSS score 6.1, WordPress plugin vulnerability, Yuanjing Guo, Tommy Dong, careful installation, trusted sources, emerging attack surface, AI brand trust, weaponization tactics, browser trust exploitation, authentication token interception, account-level access, conversation history, metadata access, user impersonation, access credentials, security researcher Natalie Zargarov, Russian cybercrime forum, C2 panel management, spoofed redirects, fake browser notifications, note-taking utilities, bank website targeting, defensive blind spot, public disclosure, future resurfacing, Varonis researcher Daniel Kelley, browser as endpoint, malicious browser extensions, primary attack vector, critical security gap, security pressure, vetting process improvement, sophisticated attackers, legitimate-looking applications, millions of users affected, serious privacy risks, financial risks, coordinated network, extensive data collection, external server exfiltration, artificial urgency creation, user pressure tactics, commission stealing, legitimate creator impact, Chrome Web Store violations, policy violations, user action requirements, separate extension functions, data scraping capabilities, fake deal displays, countdown timer manipulation, misleading functionality claims, actual code behavior, security policy violations, AI tool integration, enterprise workflow security, elevated browser permissions, sensitive data access, persistent attack methods, traditional security bypass, extreme caution advised, trusted source risks, seemingly harmless utilities, powerful cybercrime tools, security marketplace pressure, improved vetting needs, attacker sophistication, disguised malicious code, legitimate application appearance.

,