Malicious Chrome Extensions Exploit Affiliate Links and Compromise ChatGPT Credentials
Cybersecurity experts have recently identified a series of malicious Google Chrome extensions that not only manipulate affiliate links for financial gain but also compromise user data, including OpenAI ChatGPT authentication tokens.
One such extension, Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), presents itself as a tool designed to enhance the Amazon browsing experience by eliminating sponsored content. Uploaded to the Chrome Web Store by a publisher named 10Xprofit on January 19, 2026, this extension does perform ad-blocking as advertised. However, its primary function is more insidious: it automatically injects the developer’s affiliate tag (10xprofit-20) into every Amazon product link, effectively replacing existing affiliate codes from content creators.
Further investigation has revealed that Amazon Ads Blocker is part of a larger network comprising 29 browser add-ons targeting various e-commerce platforms, including AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. These extensions, while offering functionalities such as price tracking, invoice generation, and search enhancements, are embedded with malicious code that manipulates affiliate links to divert commissions to the developers.
The deceptive nature of these extensions is further highlighted by misleading disclosures on their Chrome Web Store listings. For instance, they claim that developers earn a small commission when users utilize coupon codes for purchases, omitting the unauthorized replacement of affiliate tags.
The exploitation of affiliate links is not a new phenomenon. In August 2022, cybersecurity researchers uncovered five counterfeit Chrome extensions masquerading as tools for Netflix viewers and other services. These extensions tracked users’ browsing activities and profited from retail affiliate programs by injecting their own affiliate tags into URLs. Collectively, these extensions were downloaded over 1.4 million times, underscoring the scale and effectiveness of such deceptive practices. ([thehackernews.com](https://thehackernews.com/2022/08/experts-find-malicious-cookie-stuffing.html?utm_source=openai))
Beyond affiliate link manipulation, some of these malicious extensions have been found to steal OpenAI ChatGPT authentication tokens. Possession of these tokens grants attackers access equivalent to that of the user, including conversation history and metadata. This means that attackers can impersonate users, accessing all of their ChatGPT conversations, data, or code. This tactic, referred to as Prompt Poaching, involves using browser extensions to stealthily capture AI conversations. In January 2026, two such malicious extensions were identified, collectively affecting over 900,000 users. ([thehackernews.com](https://thehackernews.com/search/label/Browser%20Extension?utm_source=openai))
The proliferation of AI-related extensions in enterprise workflows has introduced new attack vectors. Threat actors exploit the trust associated with popular AI brands to deceive users into installing malicious extensions. These tools often require elevated execution contexts within the browser, granting them access to sensitive data. Consequently, seemingly harmless extensions can become lucrative attack vectors, allowing adversaries to obtain persistent access without exploiting security flaws or triggering security alarms.
The discovery of these malicious extensions underscores the importance of vigilance when installing browser add-ons. Users are advised to:
– Verify Developer Credentials: Ensure that the extension is developed by a reputable source.
– Review Permissions: Scrutinize the permissions requested by the extension. Excessive permissions can be a red flag.
– Monitor Browser Activity: Regularly check for unauthorized changes in browser behavior or unexpected redirects.
– Stay Updated: Keep abreast of cybersecurity news to be informed about newly discovered threats.
In conclusion, while browser extensions can enhance user experience, they can also serve as conduits for malicious activities. By exercising caution and staying informed, users can mitigate the risks associated with these deceptive tools.
