Security researchers uncover coordinated network of 29 browser extensions targeting e-commerce platforms, with separate cluster intercepting AI session tokens
The browser extension threat landscape has expanded beyond the ongoing Honey controversy into outright malware. Cybersecurity researchers have identified multiple malicious Google Chrome extensions that hijack Amazon affiliate links, steal product data and collect ChatGPT authentication tokens, putting hundreds of thousands of users at risk.
The discoveries, published by researchers at Socket, LayerX and Symantec over the past week, reveal a coordinated operation that goes far beyond the attribution manipulation practices that have dominated affiliate industry conversations since the Honey scandal broke in late 2024. These extensions are not operating in grey areas of last-click attribution. They are actively stealing.
Socket researcher Kush Pandya discovered that a Chrome Web Store extension called “Amazon Ads Blocker” (extension ID: pnpchphmplpdimbllknjoiopmfphellj) functions as advertised by blocking ads, but conceals its primary purpose: automatically injecting the developer's affiliate tag (10xprofit-20) into every Amazon product link and replacing existing affiliate codes.
The mechanism is technically straightforward but devastating for affiliates. When a user with the extension installed clicks on any Amazon product link, including links containing an affiliate's tracking tag, the extension overwrites that tag with its own identifier. Content creators who share Amazon product links with their affiliate tags lose commissions when users with the installed add-on click those links.
Pandya's team identified that Amazon Ads Blocker belongs to a coordinated cluster of 29 browser extensions uploaded as recently as 19 January 2026. The network targets e-commerce platforms including Amazon, AliExpress, Best Buy, Shein, Shopify and Walmart.
The extensions scan all product URLs for affiliate tags without requiring any user interaction and replace them with the attacker's code. When no tags are present, the extensions simply append the attacker's ID. The extensions also scrape product data and exfiltrate it to app.10xprofit[.]io. Some variants deploy fake “LIMITED TIME DEAL” countdowns on AliExpress pages to spur impulse purchases.
This behaviour directly violates Chrome Web Store policies, which require extensions using affiliate links to accurately disclose their functionality, require user action before each injection and never replace existing affiliate codes. The policies Google tightened in March 2025 following the Honey controversy appear to have had limited effect on preventing malicious extensions from reaching users.
Separately, researchers at the AI and web security firm LayerX identified 16 malicious extensions (15 on Chrome, one on Edge) that intercept ChatGPT session authentication tokens by injecting content scripts into ChatGPT.com.
When users sign in to ChatGPT, their session remains active using a hidden token. These extensions inject their own code into ChatGPT to monitor traffic flowing in and out. With this token, an attacker can access a victim's ChatGPT account, view their conversation history and use their profile without needing their password or two-factor authentication.
The implications extend beyond personal privacy. For affiliate marketers and digital professionals who use ChatGPT for competitive research, content strategy or business communications, a compromised account could expose sensitive business information, client data and strategic plans.
Meanwhile, Broadcom-owned Symantec flagged four extensions with more than 100,000 combined users that steal data: Good Tab, Children Protection, DPS Websafe and Stock Informer. The presence of an extension called “Children Protection” in this list underscores how malicious actors exploit trust-signalling names to distribute harmful software.
The PayPal Honey scandal that has dominated affiliate marketing discourse centres on questions of attribution manipulation and last-click ethics. Those are legitimate concerns that have spawned class action lawsuits and prompted Rakuten to remove Honey from its network.
But the extensions identified by Socket represent something categorically different: direct commission theft by bad actors masquerading as productivity tools. There is no ambiguity about user consent or attribution system design. The extensions deliberately replace affiliate tags without disclosure, scrape user data and operate entirely outside any legitimate business framework.
The distinction matters for how the industry responds. The Honey controversy has pushed networks to examine standdown protocols and attribution mechanics. This threat requires a different response: proactive protection of end users whose browsers can be weaponised against the affiliates whose links they click.
Content creators and affiliate marketers should recognise that their commissions are vulnerable not through their own actions but through software installed on their audience's devices. This creates a protection challenge that cannot be solved through traditional program management approaches.
Educate your audience. Consider informing readers about the risks of installing browser extensions that request broad permissions, particularly those promising to enhance shopping experiences or block ads. Many users do not understand that extensions can modify page content, including affiliate links.
Monitor for unusual conversion patterns. Sudden drops in conversion rates without corresponding traffic changes could indicate that a portion of your audience has installed extensions that hijack your links. This is particularly relevant for Amazon Associates given the identified extensions specifically target that platform.
Diversify your traffic sources. Audiences on email lists and social platforms where you can communicate directly face lower extension exposure than anonymous web visitors. Building direct relationships with your audience provides some insulation against browser-based threats.
Report suspicious extensions. If you identify extensions that appear to manipulate affiliate links, report them through the Chrome Web Store. Google has demonstrated willingness to act on these reports, though enforcement remains imperfect.
These discoveries add to a mounting body of evidence that browser extensions represent a significant and under-appreciated threat vector. A GitLab Security report from February 2025 found that malicious extensions impacted at least 3.2 million users, with the true scale likely far higher given many infections remain undetected.
The technical capabilities available to browser extensions create inherent risks. Once installed, extensions operate with significant privileges that make them attractive to attackers: data exfiltration, keylogging, screen capture, network interception and session hijacking all become possible.
For the affiliate marketing industry, this means cookie-based tracking vulnerabilities are just one dimension of a multi-faceted security challenge. Server-side tracking, first-party data strategies and privacy-compliant attribution methods address some concerns. But they cannot prevent a malicious extension from modifying page content before it reaches affiliate tracking systems.
The shift toward server-to-server tracking that industry advocates have pushed following the third-party cookie phase-out may offer some protection. When tracking occurs on the server rather than in the browser, client-side extension manipulation becomes less effective. However, extensions that modify links before clicks occur can still redirect traffic through their own tracking.
The Chrome Web Store policies updated in 2025 prohibit the behaviour exhibited by these extensions. Extensions that automatically inject affiliate links without user action or that replace existing affiliate codes violate explicit policy. The challenge lies in enforcement.
Google's vetting process cannot catch every malicious extension before publication. As the Socket research demonstrates, bad actors continue to successfully publish extensions that violate policies. The network of 29 identified extensions suggests coordinated operations that can regenerate under new identities when individual extensions are removed.
For affiliate marketers, the practical reality is that browser extension threats will persist regardless of policy changes. The comprehensive fraud prevention approaches that protect programs against click fraud and attribution manipulation provide a foundation, but the industry needs to extend its threat models to include client-side attacks on end users.
The extensions discovered by Socket, LayerX and Symantec have been reported to Google. Users who have installed any of the identified extensions should remove them immediately and consider changing passwords for any services accessed while the extensions were active.
For the affiliate marketing industry, these discoveries serve as a reminder that the browser extension controversy extends far beyond Honey. While the industry debates attribution ethics, malicious actors are simply taking what they can.
Affiliates experiencing unusual conversion drops or suspecting their links may be compromised by browser extension manipulation can explore fraud detection resources and attribution protection strategies.