Cybersecurity experts have identified harmful Google Chrome extensions that have the ability to hijack affiliate links, steal data, and gather OpenAI ChatGPT authentication tokens.
One of these extensions is Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), which purports to be a tool for browsing Amazon without any sponsored content. It was uploaded to the Chrome Web Store by a publisher named “10Xprofit” on January 19, 2026.
“The extension does block ads as promised, but its main function is hidden: it automatically inserts the developer’s affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators,” explained Socket security researcher Kush Pandya.
Further investigation revealed that Amazon Ads Blocker is part of a larger group of 29 browser add-ons that target various e-commerce platforms such as AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. The full list includes:
- AliExpress Invoice Generator (FREE) – AliInvoice™️ (10+ Templates) (ID: mabbblhhnmlckjbfppkopnccllieeocp)
- AliExpress Price Tracker – Price History & Alerts (ID: loiofaagnefbonjdjklhacdhfkolcfgi)
- AliExpress Quick Currency & Price Converter (ID: mcaglpclodnaiimhicpjemhcinjfnjce)
- … (additional items in the list)
While “Amazon Ads Blocker” provides the promised functionality, it also includes malicious code that scans all Amazon product URL patterns for affiliate tags and replaces them with “10xprofit-20.” This action can result in social media content creators losing commissions when users with the extension installed click on their affiliate links.
This behavior violates Chrome Web Store policies, which require extensions using affiliate links to disclose how the program works, require user action before each injection, and never replace existing affiliate codes without permission.
Socket also noted that the extension’s listing page on the Chrome Web Store contains misleading information, claiming that developers earn a “small commission” when users use a coupon code to make a purchase.
Affiliate links are commonly used on social media and websites to track traffic and sales for marketers. Extensions like these pose a risk by replacing existing affiliate tags with the attacker’s tag, resulting in lost commissions for content creators.
As artificial intelligence-related extensions become more prevalent in enterprise workflows, the potential for misuse and exploitation grows. Threat actors can leverage popular AI brands to deceive users into installing malicious extensions that provide access to sensitive data.
Browser extensions have become a lucrative attack vector for cybercriminals, allowing them to steal data, inject ads, and execute arbitrary code. Users should exercise caution when installing extensions and be aware of the risks associated with them.
Additionally, a new malware-as-a-service toolkit called Stanley has emerged, offering customers the ability to create malicious Chrome browser extensions for phishing attacks. These extensions can display legitimate URLs in the address bar while overlaying a phishing page, tricking users into entering sensitive information.
While the Stanley service has disappeared as of January 27, 2025, the threat posed by malicious browser extensions remains a significant concern. Organizations and individuals should remain vigilant and take steps to protect themselves from these potential threats.
