Key Findings:

• Cybersecurity researchers have discovered a cluster of 29 malicious Google Chrome extensions that target e-commerce platforms like AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart.

• The extensions, including "Amazon Ads Blocker," automatically inject the developer's affiliate tags into product links, replacing existing affiliate codes from content creators.

• The extensions violate Chrome Web Store policies by misrepresenting their functionality, combining unrelated features, and replacing existing affiliate tags without user consent.

• The extensions also scrape product data and exfiltrate it to the domain "app.10xprofit[.]io," with some displaying fake "LIMITED TIME DEAL" countdowns to create a sense of urgency.

• In addition to affiliate link abuse, the researchers found that the extensions are capable of stealing OpenAI ChatGPT authentication tokens, enabling access to the popular AI chatbot.

Background

The malicious Chrome extensions were discovered by cybersecurity researchers at Socket, who analyzed their functionality and capabilities in detail. The extensions, which claim to offer various e-commerce-related features, were found to be part of a larger coordinated campaign targeting multiple online shopping platforms.

Affiliate Link Hijacking

The primary function of these extensions is to automatically inject the developer's affiliate tags into product links, effectively hijacking existing affiliate codes from content creators and social media influencers. This practice violates Chrome Web Store policies, which require extensions using affiliate links to accurately disclose the program and obtain user consent before each injection.

Data Exfiltration and Fake Deals

In addition to the affiliate link abuse, the researchers found that the extensions also scrape product data and send it to the domain "app.10xprofit[.]io." Some of the extensions, particularly those focused on AliExpress, display fake "LIMITED TIME DEAL" countdown timers on product pages to create a false sense of urgency and rush users into making purchases.

ChatGPT Token Theft

Further analysis by the researchers revealed that the extensions are also capable of stealing OpenAI ChatGPT authentication tokens, enabling unauthorized access to the popular AI chatbot. This functionality could be used to abuse ChatGPT and potentially gain access to users' personal information or conversations.

Conclusion

The discovery of this cluster of malicious Chrome extensions highlights the ongoing threat posed by malware targeting e-commerce platforms and popular online services. Users are advised to exercise caution when installing browser extensions and to carefully review their permissions and disclosures. Cybersecurity researchers and platforms like the Chrome Web Store should remain vigilant in identifying and removing such malicious add-ons to protect users and content creators alike.

Sources

• https://thehackernews.com/2026/01/researchers-uncover-chrome-extensions.html

• https://x.com/shah_sheikh/status/2017241325276442811

• https://www.cypro.se/2026/01/30/researchers-uncover-chrome-extensions-abusing-affiliate-links-and-stealing-chatgpt-access/