{"id":183008,"date":"2026-01-30T08:42:00","date_gmt":"2026-01-30T13:42:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/30\/researchers-uncover-chrome-extensions-abusing-affiliate-links-and-stealing-chatgpt-access\/"},"modified":"2026-01-30T10:00:14","modified_gmt":"2026-01-30T15:00:14","slug":"researchers-uncover-chrome-extensions-abusing-affiliate-links-and-stealing-chatgpt-access","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/30\/researchers-uncover-chrome-extensions-abusing-affiliate-links-and-stealing-chatgpt-access\/","title":{"rendered":"Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access"},"content":{"rendered":"

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/01\/researchers-uncover-chrome-extensions.html<\/a><\/p>\n

Publish Date: 2026-01-30 08:42:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

Cybersecurity researchers have discovered malicious Google Chrome extensions that come with capabilities to hijack affiliate links, steal data, and collect OpenAI ChatGPT authentication tokens.
\nOne of the extensions in question is Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), which claims to be a tool to browse Amazon without any sponsored content. It was uploaded to the Chrome Web Store by a publisher named “10Xprofit” on January 19, 2026.
\n“The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer’s affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators,” Socket security researcher Kush Pandya said.
\nFurther analysis has determined that Amazon Ads Blocker is part of a larger cluster of 29 browser add-ons that target several e-commerce platforms like AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. The complete list is as follows –<\/p>\n

AliExpress Invoice Generator (FREE) – AliInvoice\u2122\ufe0f (10+ Templates) (ID: mabbblhhnmlckjbfppkopnccllieeocp)
\nAliExpress Price Tracker – Price History & Alerts (ID: loiofaagnefbonjdjklhacdhfkolcfgi)
\nAliExpress Quick Currency & Price Converter (ID: mcaglpclodnaiimhicpjemhcinjfnjce)
\nAliExpress Deals Countdown – Flash Sale Timer (ID: jmlgkeaofknfmnbpmlmadnfnfajdlehn)
\n10Xprofit – Amazon Seller Tools (FBA & FBM) (ID: ahlnchhkedmjbdocaamkbmhppnligmoh)
\nAmazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj)
\nAmazon ASIN Lookup 10xprofit (ID: ljcgnobemekghgobhlplpehijemdgcgo)
\nAmazon Search Suggestion (ID: dnmfcojgjchpjcmjgpgonmhccibjopnb)
\nAmazon Product Scraper 10xprofit (ID: mnacfoefejolpobogooghoclppjcgfcm)
\nAmazon Quick Brand Search (ID: nigamacoibifjohkmepefofohfedblgg)
\nAmazon Stock Checker 999 (ID: johobikccpnmifjjpephegmfpipfbfme)
\nAmazon Price History Saver (ID: kppfbknppimnoociaomjcdgkebdmenkh)
\nAmazon ASIN Copy (ID: aohfjaadlbiifnnajpobdhokecjokhab)
\nAmazon Keyword Cloud Generator (ID: gfdbbmngalhmegpkejhidhgdpmehlmnd)
\nAmazon Image Downloader (ID: cpcojeeblggnjjgnpiicndnahfhjdobd)
\nAmazon Negative Review Hider (ID: hkkkipfcdagiocekjdhobgmlkhejjfoj)
\nAmazon Listing Score Checker (ID: jaojpdijbaolkhkifpgbjnhfbmckoojh)
\nAmazon Keyword Density Searcher (ID: ekomkpgkmieaaekmaldmaljljahehkoi)
\nAmazon Sticky Notes (ID: hkhmodcdjhcidbcncgmnknjppphcpgmh)
\nAmazon Result Numbering (ID: nipfdfkjnidadibpbflijepbllfkokac)
\nAmazon Profit Calculator Lite (ID: behckapcoohededfbgjgkgefgkpodeho)
\nAmazon Weight Converter (ID: dfnannaibdndmkienngjahldiofjbkmj)
\nAmazon BSR Fast View (ID: nhilffccdbcjcnoopblecppbhalagpaf)
\nAmazon Character Count & Seller Tools (ID: goikoilmhcgfidolicnbgggdpckdcoam)
\nAmazon Global Price Checker (ID: mjcgfimemamogfmekphcfdehfkkbmldn)
\nBestBuy Search By Image (ID: nppjmiadmakeigiagilkfffplihgjlec)
\nSHEIN Search By Image (ID: mpgaodghdhmeljgogbeagpbhgdbfofgb)
\nShopify Search By Image (ID: gjlbbcimkbncedhofeknicfkhgaocohl)
\nWalmart Search By Image (ID: mcaihdkeijgfhnlfcdehniplmaapadgb)<\/p>\n

While “Amazon Ads Blocker” offers the advertised functionality, it also embeds malicious code that scans all Amazon product URL patterns for any affiliate tag without requiring any user interaction, and replaces it with “10xprofit-20” (or “_c3pFXV63” for AliExpress). In cases where there are no tags, the attacker’s tag is appended to each URL.
\nSocket also noted that the extension listing page on the Chrome Web Store makes misleading disclosures, claiming that the developers earn a “small commission” every time a user makes use of a coupon code to make a purchase. <\/p>\n

Affiliate links are widely used across social media and websites. They refer to URLs containing a specific ID that enables tracking of traffic and sales to a particular marketer. When a user clicks this link to buy the product, the affiliate earns a cut of the sale.
\nDue to the extensions searching for existing tags and replacing them, social media content creators who share Amazon product links with their own affiliate tags lose commissions when users who have installed the add-on click those links.
\nThis amounts to a violation of Chrome Web Store policies, as they require extensions using affiliate links to accurately divulge how the program works, require user action before each injection, and never replace existing affiliate codes.
\n“The disclosure describes a coupon\/deal extension with user-triggered reveals. The actual product is an ad blocker with automatic link modification,” Pandya explained. “This mismatch between disclosure and implementation creates false consent.”
\n“The extension also violates the Single Purpose policy by combining two unrelated functions (ad blocking and affiliate injection) that should be separate extensions.”
\nThe identified extensions have also been found to scrape product data and exfiltrate it to “app.10xprofit[.]io,” with those focusing on AliExpress serving bogus “LIMITED TIME DEAL” countdown timers on product pages to create a false sense of urgency and rush them into making purchases so as to earn commissions on affiliate links.<\/p>\n

“Extensions that combine unrelated functionality (ad blocking, price comparison, coupon finding) with affiliate injection should be treated as high-risk, particularly those with disclosures that don’t match the actual code behavior,” Socket said.
\nThe disclosure comes as Broadcom-owned Symantec flagged four different extensions that have a combined user base exceeding 100,000 users and are designed to steal data –<\/p>\n

Good Tab (ID: glckmpfajbjppappjlnhhlofhdhlcgaj), which grants full clipboard permissions to an external domain (“api.office123456[.]com”) to enable remote clipboard-read and clipboard-write permissions
\nChildren Protection (ID: giecgobdmgdamgffeoankaipjkdjbfep), which implements functionality to harvest cookies, inject ads, and execute arbitrary JavaScript by contacting a remote server
\nDPS Websafe (ID: bjoddpbfndnpeohkmpbjfhcppkhgobcg), which changes the default search to one under their control to capture search terms entered by users and potentially route them to malicious websites
\nStock Informer (ID: beifiidafjobphnbhbbgmgnndjolfcho), which is susceptible to a years-old cross-site (XSS) vulnerability in the Stockdio Historical Chart WordPress plugin (CVE-2020-28707, CVSS score: 6.1) that could allow a remote attacker to execute JavaScript code<\/p>\n

“While browser extensions can provide a wide range of handy tools to help us achieve more online, much care needs to be taken when choosing to install them, even when installing from trusted sources,” researchers Yuanjing Guo and Tommy Dong said.
\nRounding off the list of malicious extensions is another network of 16 add-ons (15 on the Chrome Web Store and one on the Microsoft Edge Add-ons marketplace) that are designed to intercept and steal ChatGPT authentication tokens by injecting a content script into chatgpt[.]com. Cumulatively, the extensions were downloaded about 900 times, according to LayerX.
\nThe extensions are assessed to be part of a coordinated campaign due to overlaps in source code, icons, branding, and descriptions –<\/p>\n

ChatGPT folder, voice download, prompt manager, free tools \u2013 ChatGPT Mods (ID: lmiigijnefpkjcenfbinhdpafehaddag)
\nChatGPT voice download, TTS download \u2013 ChatGPT Mods (ID: obdobankihdfckkbfnoglefmdgmblcld)
\nChatGPT pin chat, bookmark \u2013 ChatGPT Mods (ID: kefnabicobeigajdngijnnjmljehknjl)
\nChatGPT message navigator, history scroller \u2013 ChatGPT Mods (ID: ifjimhnbnbniiiaihphlclkpfikcdkab)
\nChatGPT model switch, save advanced model uses \u2013 ChatGPT Mods (ID: pfgbcfaiglkcoclichlojeaklcfboieh)
\nChatGPT export, Markdown, JSON, images \u2013 ChatGPT Mods (ID: hljdedgemmmkdalbnmnpoimdedckdkhm)
\nChatGPT Timestamp Display \u2013 ChatGPT Mods (ID: afjenpabhpfodjpncbiiahbknnghabdc)
\nChatGPT bulk delete, Chat manager \u2013 ChatGPT Mods (ID: gbcgjnbccjojicobfimcnfjddhpphaod)
\nChatGPT search history, locate specific messages \u2013 ChatGPT Mods (ID: ipjgfhcjeckaibnohigmbcaonfcjepmb)
\nChatGPT prompt optimization \u2013 ChatGPT Mods (ID: mmjmcfaejolfbenlplfoihnobnggljij)
\nCollapsed message \u2013 ChatGPT Mods (ID: lechagcebaneoafonkbfkljmbmaaoaec)
\nMulti-Profile Management & Switching \u2013 ChatGPT Mods (ID: nhnfaiiobkpbenbbiblmgncgokeknnno)
\nSearch with ChatGPT \u2013 ChatGPT Mods (ID: hpcejjllhbalkcmdikecfngkepppoknd)
\nChatGPT Token counter \u2013 ChatGPT Mods (ID: hfdpdgblphooommgcjdnnmhpglleaafj)
\nChatGPT Prompt Manager, Folder, Library, Auto Send \u2013 ChatGPT Mods (ID: ioaeacncbhpmlkediaagefiegegknglc)
\nChatGPT Mods \u2013 Folder Voice Download & More Free Tools (ID: jhohjhmbiakpgedidneeloaoloadlbdj)<\/p>\n

With artificial intelligence (AI)-related extensions becoming increasingly common in enterprise workflows, the development highlights an emerging attack surface where threat actors weaponize the trust associated with popular AI brands to deceive users into installing them.
\nBecause such tools often require elevated execution context within the browser and have access to sensitive data, seemingly harmless extensions can become a lucrative attack vector, permitting adversaries to obtain persistent access without the need for exploiting security flaws or resorting to other methods that may trigger security alarms.<\/p>\n

“Possession of such tokens provides account-level access equivalent to that of the user, including access to conversation history and metadata,” security researcher Natalie Zargarov said. “As a result, attackers can replicate the users’ access credentials to ChatGPT and impersonate them, allowing them to access all of the user’s ChatGPT conversations, data, or code.”
\nBrowsers Become a Lucrative Attack Vector
\nThe findings also coincide with the emergence of a new malware-as-a-service toolkit called Stanley that’s being peddled on a Russian cybercrime forum for between $2,000 and $6,000, and allows crooks to generate malicious Chrome browser extensions that can be used to serve phishing pages within an HTML iframe element while still showing the legitimate URL in the address bar.
\nCustomers of the tool gain access to a C2 panel for managing victims, configuring spoofed redirects, and sending fake browser notifications. Those who are willing to spend $6,000 get a guarantee that any extension they create using the kit will pass Google’s vetting process for the Chrome Web Store.
\nThese extensions take the form of innocuous note-taking utilities to fly under the radar. But their malicious behavior is activated when the user navigates to a website of interest to the attacker, such as a bank, at which point a full-screen iframe containing the phishing page is overlaid, while leaving the browser’s URL bar intact. This visual deception creates a defensive blind spot that can dupe even vigilant users into entering their credentials or sensitive information on the page.
\nAs of January 27, 2025, the service appears to have vanished \u2013 likely prompted by the public disclosure \u2013 but it’s very much possible that it can resurface under a different name in the future.
\n“Stanley provides a turnkey website-spoofing operation disguised as a Chrome extension, with its premium tier promising guaranteed publication on the Chrome Web Store,” Varonis researcher Daniel Kelley noted earlier this week. “BYOD policies, SaaS-first environments, and remote work have made the browser the new endpoint. Attackers have noticed. Malicious browser extensions are now a primary attack vector.”<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access https:\/\/thehackernews.com\/2026\/01\/researchers-uncover-chrome-extensions.html Publish Date: 2026-01-30…<\/p>\n","protected":false},"author":1,"featured_media":183009,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi4xLoFpuzf6DbHF4Fy9WnEv4INmkiXkLiWxb9Pc7eqWDphv3Wcp57B38zLriR2xberjGDP_Xll60j1q8KmqpFTu9yfBIuyWilyHA97sm4-2CD_yqTOJubfYUKDp_-gkGHS-f-tcZYMk4N3sjwNzcy3GomBw-yVigT-MqY3J77PiGLVQyGK8JKHla5vykAd\/s1700-e365\/chrome.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,24,32,25,27],"class_list":["post-183008","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-cybersecurity","tag-malware","tag-phishing","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183008"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=183008"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183008\/revisions"}],"predecessor-version":[{"id":183010,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183008\/revisions\/183010"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/183009"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=183008"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=183008"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=183008"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}