Malicious Google Chrome extensions with the ability to steal data, collect OpenAI ChatGPT authentication tokens, and hijack affiliate links have been found by cybersecurity researchers This article explores ad blocking affiliate. . One of the extensions in question is Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), which claims to be a tool to browse Amazon without any sponsored content. It was uploaded to the Chrome Web Store by a publisher named "10Xprofit" on January 19, 2026. "The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer's affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators," Socket security researcher Kush Pandya said. Further analysis has determined that Amazon Ads Blocker is part of a larger cluster of 29 browser add-ons that target several e-commerce platforms like AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. "This mismatch between disclosure and implementation creates false consent." "The extension also violates the Single Purpose policy by combining two unrelated functions (ad blocking and affiliate injection) that should be separate extensions." Additionally, it has been discovered that the identified extensions scrape product data and exfiltrate it to "app.10xprofit[.]io," with those targeting AliExpress serving fake "LIMITED TIME DEAL" countdown timers on product pages to trick users into making purchases in order to earn commissions on affiliate links. "Extensions that combine unrelated functionality (ad blocking, price comparison, coupon finding) with affiliate injection should be treated as high-risk, particularly those with disclosures that don't match the actual code behavior," Socket said. Good Tab (ID: glckmpfajbjppappjlnhhlofhdhlcgaj), which grants full clipboard permissions to an external domain ("api.office123456[.]com") to enable remote clipboard-read and clipboard-write permissions, is one of four extensions that Broadcom-owned Symantec has identified as having a combined user base exceeding 100,000 and being intended to steal data. Children Protection (ID: giecgobdmgdamgffeoankaipjkdjbfep), which implements functionality to harvest cookies, inject ads, and execute arbitrary JavaScript by contacting a remote server DPS Websafe (ID: bjoddpbfndnpeohkmpbjfhcppkhgobcg), which changes the default search to one under their control to capture search terms entered by users and potentially route them to malicious websites A years-old cross-site (XSS) vulnerability in the Stockdio Historical Chart WordPress plugin (CVE-2020-28707, CVSS score: 6.1) affects Stock Informer (ID: beifiidafjobphnbhbbgmgnndjolfcho) and could enable a remote attacker to execute JavaScript code "While browser extensions can provide a wide range of handy tools to help us achieve more online, much care needs to be taken when choosing to install them, even when installing from trusted sources," researchers Yuanjing Guo and Tommy Dong said. A network of 16 add-ons (15 on the Chrome Web Store and one on the Microsoft Edge Add-ons marketplace) that are intended to intercept and steal ChatGPT authentication tokens by injecting a content script into chatgpt[.]com completes the list of malicious extensions. According to LayerX, the extensions were downloaded approximately 900 times in total. Seemingly innocuous extensions can turn into a profitable attack vector because these tools frequently require elevated execution context within the browser and have access to sensitive data. This allows adversaries to gain persistent access without having to take advantage of security flaws or use other techniques that might cause security alarms. According to security researcher Natalie Zargarov, "possession of such tokens provides account-level access equivalent to that of the user, including access to conversation history and metadata." Because of this, "attackers can replicate the users' ChatGPT access credentials and impersonate them, allowing them to access all of the user's ChatGPT conversations, data, or code." ### Browsers Turn Into a Profitable Attack The vector The results also align with the introduction of a new malware-as-a-service toolkit called Stanley, which is being sold for between $2,000 and $6,000 on a Russian cybercrime forum. This toolkit enables hackers to create malicious Chrome browser extensions that can be used to serve phishing pages inside an HTML iframe element while displaying the correct URL in the address bar. A C2 panel for managing victims, setting up spoof redirects, and sending fictitious browser notifications is available to tool users. A guarantee that any extension made with the kit will pass Google's screening process for the Chrome Web Store is offered to those who are prepared to spend $6,000.