A sweeping investigation has revealed a growing ecosystem of malicious Google Chrome extensions that masquerade as helpful tools while secretly hijacking affiliate links, scraping product data, and even stealing OpenAI ChatGPT authentication tokens. The findings highlight how browser add-ons, often trusted by millions of users, are increasingly being weaponized as attack vectors.
The Amazon Ads Blocker Case
One of the most prominent examples is the Amazon Ads Blocker extension, published by a developer under the name “10Xprofit.” Marketed as a utility to block intrusive ads, the extension instead injects the developer’s affiliate tag into every Amazon product link. This practice effectively diverts commissions away from legitimate content creators and influencers, violating both Amazon’s affiliate program rules and Chrome Web Store policies.
Researchers discovered that the extension is part of a cluster of 29 add-ons targeting major e-commerce platforms including Amazon, AliExpress, Best Buy, Shein, Shopify, and Walmart. These extensions often scrape product data and transmit it to attacker-controlled servers, raising concerns about data privacy and unauthorized commercial exploitation.
Symantec’s Warning
Security firm Symantec identified four additional extensions with more than 100,000 combined users. These include:
- Good Tab – abuses clipboard permissions.
- Children Protection – harvests cookies and injects ads.
- DPS Websafe – hijacks search queries.
- Stock Informer – vulnerable to an outdated cross-site scripting flaw.
Symantec warned that such extensions blur the line between utility and exploitation, often combining unrelated functions that should raise red flags for users.
ChatGPT Token Theft
Perhaps most alarming is a network of 16 extensions (15 on Chrome, one on Edge) designed to steal ChatGPT authentication tokens. By injecting malicious scripts into chatgpt.com, attackers gain full account-level access. With stolen tokens, they can impersonate users, view conversation histories, and harvest sensitive data.
This attack underscores how cybercriminals are exploiting the popularity of AI platforms, turning them into lucrative targets for credential theft and account hijacking.
Malware-as-a-Service: Stanley Toolkit
Adding to the threat landscape, researchers uncovered a malware-as-a-service toolkit called Stanley, advertised on Russian forums for $2,000–$6,000. The toolkit allowed buyers to create malicious Chrome extensions disguised as note-taking apps, with premium packages promising guaranteed approval on the Chrome Web Store. Although the toolkit disappeared after public exposure, experts warn it could resurface under a new name.
Why It Matters
- Affiliate hijacking undermines trust between creators and audiences, siphoning legitimate income streams.
- Token theft from platforms like ChatGPT demonstrates how attackers exploit emerging technologies for persistent access.
- Browser extensions are now a primary battleground in cybersecurity, combining convenience with hidden malicious code.
Conclusion
The revelations serve as a stark reminder that browser extensions are not inherently safe, even when downloaded from official stores. With remote work, SaaS-first environments, and BYOD policies expanding attack surfaces, vigilance is critical. Experts urge users to scrutinize extensions carefully, avoid those with vague or overly broad permissions, and remain alert to the hidden risks behind seemingly helpful tools.

