Impreza Portal
Sign InMy ServicesMy DomainsMy InvoicesMy Tickets
News
Celebrative Logos
Our Platform
Carbon Removal Commitment
Tutorials
Video TutorialsKnowledge Base
More
UptimeNetwork StatusWHOISAffiliatesJobsAbout us
Contact
Submit TicketSend an EmailTelegramReport Abuse
Check it out
HOMEDOMAINS
CONTACT
1
Login
Sign InCreate an Account
No Comments

Amazon Ads Blocker Extension Exposed as Affiliate Hijacking and Data-Stealing Malware

 

Cybersecurity researchers have uncovered malicious Google Chrome extensions that actively hijack affiliate links, steal user data, and collect OpenAI ChatGPT authentication tokens.

Malicious Chrome Extension Poses as Amazon Ad Blocker

One of the extensions involved, Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), presents itself as a tool that allows users to browse Amazon without sponsored content. The publisher, operating under the name “10Xprofit,” uploaded the extension to the Chrome Web Store on January 19, 2026.

“The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer’s affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators,” Socket security researcher Kush Pandya said.

Further analysis revealed that Amazon Ads Blocker operates as part of a broader cluster of 29 browser extensions that target major e-commerce platforms, including AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. The full list includes:

  • AliExpress Invoice Generator (FREE) – AliInvoice™️ (10+ Templates) (ID: mabbblhhnmlckjbfppkopnccllieeocp)
  • AliExpress Price Tracker – Price History & Alerts (ID: loiofaagnefbonjdjklhacdhfkolcfgi)
  • AliExpress Quick Currency & Price Converter (ID: mcaglpclodnaiimhicpjemhcinjfnjce)
  • AliExpress Deals Countdown – Flash Sale Timer (ID: jmlgkeaofknfmnbpmlmadnfnfajdlehn)
  • 10Xprofit – Amazon Seller Tools (FBA & FBM) (ID: ahlnchhkedmjbdocaamkbmhppnligmoh)
  • Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj)
  • Amazon ASIN Lookup 10xprofit (ID: ljcgnobemekghgobhlplpehijemdgcgo)
  • Amazon Search Suggestion (ID: dnmfcojgjchpjcmjgpgonmhccibjopnb)
  • Amazon Product Scraper 10xprofit (ID: mnacfoefejolpobogooghoclppjcgfcm)
  • Amazon Quick Brand Search (ID: nigamacoibifjohkmepefofohfedblgg)
  • Amazon Stock Checker 999 (ID: johobikccpnmifjjpephegmfpipfbfme)
  • Amazon Price History Saver (ID: kppfbknppimnoociaomjcdgkebdmenkh)
  • Amazon ASIN Copy (ID: aohfjaadlbiifnnajpobdhokecjokhab)
  • Amazon Keyword Cloud Generator (ID: gfdbbmngalhmegpkejhidhgdpmehlmnd)
  • Amazon Image Downloader (ID: cpcojeeblggnjjgnpiicndnahfhjdobd)
  • Amazon Negative Review Hider (ID: hkkkipfcdagiocekjdhobgmlkhejjfoj)
  • Amazon Listing Score Checker (ID: jaojpdijbaolkhkifpgbjnhfbmckoojh)
  • Amazon Keyword Density Searcher (ID: ekomkpgkmieaaekmaldmaljljahehkoi)
  • Amazon Sticky Notes (ID: hkhmodcdjhcidbcncgmnknjppphcpgmh)
  • Amazon Result Numbering (ID: nipfdfkjnidadibpbflijepbllfkokac)
  • Amazon Profit Calculator Lite (ID: behckapcoohededfbgjgkgefgkpodeho)
  • Amazon Weight Converter (ID: dfnannaibdndmkienngjahldiofjbkmj)
  • Amazon BSR Fast View (ID: nhilffccdbcjcnoopblecppbhalagpaf)
  • Amazon Character Count & Seller Tools (ID: goikoilmhcgfidolicnbgggdpckdcoam)
  • Amazon Global Price Checker (ID: mjcgfimemamogfmekphcfdehfkkbmldn)
  • BestBuy Search By Image (ID: nppjmiadmakeigiagilkfffplihgjlec)
  • SHEIN Search By Image (ID: mpgaodghdhmeljgogbeagpbhgdbfofgb)
  • Shopify Search By Image (ID: gjlbbcimkbncedhofeknicfkhgaocohl)
  • Walmart Search By Image (ID: mcaihdkeijgfhnlfcdehniplmaapadgb)

Affiliate Hijacking Happens Automatically and Silently

While Amazon Ads Blocker delivers the advertised ad-blocking functionality, it simultaneously embeds malicious code that scans all Amazon product URL patterns for affiliate tags—without requiring any user interaction. The extension then replaces any detected tag with “10xprofit-20” (or “_c3pFXV63” on AliExpress). When no affiliate tag exists, the extension appends the attacker’s tag to the URL.

Meanwhile, Socket observed that the extension’s Chrome Web Store listing makes misleading disclosures by claiming that developers earn a “small commission” only when users apply coupon codes during purchases.

Affiliate links play a major role across social media platforms and websites by embedding a unique ID into URLs to track traffic and sales. When users click these links and complete purchases, affiliates earn a percentage of the sale.

However, because these extensions actively search for and replace existing affiliate tags, content creators who share Amazon product links lose commissions whenever users with the add-on installed click those links.

Chrome Web Store Policy Violations Confirmed

This behavior violates Chrome Web Store policies, which require extensions that use affiliate links to clearly disclose their functionality, obtain explicit user action before each injection, and refrain from replacing existing affiliate codes.

“The disclosure describes a coupon/deal extension with user-triggered reveals. The actual product is an ad blocker with automatic link modification,” Pandya explained. “This mismatch between disclosure and implementation creates false consent.”

“The extension also violates the Single Purpose policy by combining two unrelated functions (ad blocking and affiliate injection) that should be separate extensions.”

In addition to affiliate abuse, the identified extensions scrape product data and exfiltrate it to “app.10xprofit[.]io.” Extensions targeting AliExpress also display fake “LIMITED TIME DEAL” countdown timers on product pages to manufacture urgency and pressure users into making purchases that generate affiliate revenue.

“Extensions that combine unrelated functionality (ad blocking, price comparison, coupon finding) with affiliate injection should be treated as high-risk, particularly those with disclosures that don’t match the actual code behavior,” Socket said.

At the same time, Broadcom-owned Symantec flagged four additional Chrome extensions with a combined user base exceeding 100,000 users that actively steal data:

  • Good Tab (ID: glckmpfajbjppappjlnhhlofhdhlcgaj), which grants full clipboard permissions to an external domain (“api.office123456[.]com”) to enable remote clipboard-read and clipboard-write permissions
  • Children Protection (ID: giecgobdmgdamgffeoankaipjkdjbfep), which implements functionality to harvest cookies, inject ads, and execute arbitrary JavaScript by contacting a remote server
  • DPS Websafe (ID: bjoddpbfndnpeohkmpbjfhcppkhgobcg), which changes the default search to one under their control to capture search terms entered by users and potentially route them to malicious websites
  • Stock Informer (ID: beifiidafjobphnbhbbgmgnndjolfcho), which is susceptible to a years-old cross-site (XSS) vulnerability in the Stockdio Historical Chart WordPress plugin (CVE-2020-28707, CVSS score: 6.1) that could allow a remote attacker to execute JavaScript code

“While browser extensions can provide a wide range of handy tools to help us achieve more online, much care needs to be taken when choosing to install them, even when installing from trusted sources,” researchers Yuanjing Guo and Tommy Dong said.

ChatGPT Token-Stealing Extensions Exposed

Rounding out the findings, researchers uncovered another network of 16 browser extensions—15 on the Chrome Web Store and one on the Microsoft Edge Add-ons marketplace—that intercept and steal ChatGPT authentication tokens by injecting malicious content scripts into chatgpt[.]com. According to LayerX, users downloaded these extensions roughly 900 times.

Researchers linked the extensions to a coordinated campaign based on shared source code, icons, branding, and descriptions:

  • ChatGPT folder, voice download, prompt manager, free tools – ChatGPT Mods (ID: lmiigijnefpkjcenfbinhdpafehaddag)
  • ChatGPT voice download, TTS download – ChatGPT Mods (ID: obdobankihdfckkbfnoglefmdgmblcld)
  • ChatGPT pin chat, bookmark – ChatGPT Mods (ID: kefnabicobeigajdngijnnjmljehknjl)
  • ChatGPT message navigator, history scroller – ChatGPT Mods (ID: ifjimhnbnbniiiaihphlclkpfikcdkab)
  • ChatGPT model switch, save advanced model uses – ChatGPT Mods (ID: pfgbcfaiglkcoclichlojeaklcfboieh)
  • ChatGPT export, Markdown, JSON, images – ChatGPT Mods (ID: hljdedgemmmkdalbnmnpoimdedckdkhm)
  • ChatGPT Timestamp Display – ChatGPT Mods (ID: afjenpabhpfodjpncbiiahbknnghabdc)
  • ChatGPT bulk delete, Chat manager – ChatGPT Mods (ID: gbcgjnbccjojicobfimcnfjddhpphaod)
  • ChatGPT search history, locate specific messages – ChatGPT Mods (ID: ipjgfhcjeckaibnohigmbcaonfcjepmb)
  • ChatGPT prompt optimization – ChatGPT Mods (ID: mmjmcfaejolfbenlplfoihnobnggljij)
  • Collapsed message – ChatGPT Mods (ID: lechagcebaneoafonkbfkljmbmaaoaec)
  • Multi-Profile Management & Switching – ChatGPT Mods (ID: nhnfaiiobkpbenbbiblmgncgokeknnno)
  • Search with ChatGPT – ChatGPT Mods (ID: hpcejjllhbalkcmdikecfngkepppoknd)
  • ChatGPT Token counter – ChatGPT Mods (ID: hfdpdgblphooommgcjdnnmhpglleaafj)
  • ChatGPT Prompt Manager, Folder, Library, Auto Send – ChatGPT Mods (ID: ioaeacncbhpmlkediaagefiegegknglc)
  • ChatGPT Mods – Folder Voice Download & More Free Tools (ID: jhohjhmbiakpgedidneeloaoloadlbdj)

AI Extensions Expand the Browser Attack Surface

As AI-related extensions become more common in enterprise workflows, threat actors increasingly weaponize the trust associated with popular AI brands to lure users into installing malicious tools.

Because these extensions often require elevated browser permissions and access to sensitive data, attackers can gain persistent access without exploiting traditional vulnerabilities or triggering security alerts.

“Possession of such tokens provides account-level access equivalent to that of the user, including access to conversation history and metadata,” security researcher Natalie Zargarov said. “As a result, attackers can replicate the users’ access credentials to ChatGPT and impersonate them, allowing them to access all of the user’s ChatGPT conversations, data, or code.”

Stanley Malware Toolkit Lowers the Barrier to Entry

The disclosure also coincides with the emergence of Stanley, a malware-as-a-service toolkit advertised on a Russian cybercrime forum for prices ranging from $2,000 to $6,000. The toolkit allows attackers to generate malicious Chrome extensions capable of serving phishing pages inside HTML iframes while preserving legitimate URLs in the browser address bar.

Customers gain access to a command-and-control panel that enables victim management, spoofed redirect configuration, and fake browser notification delivery. At the $6,000 tier, the sellers even guarantee Chrome Web Store approval.

These extensions typically disguise themselves as benign note-taking tools. However, once users navigate to attacker-specified targets—such as banking websites—the extension overlays a full-screen phishing iframe while leaving the address bar unchanged. This technique creates a dangerous visual illusion that can deceive even security-conscious users.

As of January 27, 2026, the service appears to have disappeared, likely following public disclosure. Nevertheless, researchers warn that it could re-emerge under a different name.

“Stanley provides a turnkey website-spoofing operation disguised as a Chrome extension, with its premium tier promising guaranteed publication on the Chrome Web Store,” Varonis researcher Daniel Kelley said earlier this week. “BYOD policies, SaaS-first environments, and remote work have made the browser the new endpoint. Attackers have noticed. Malicious browser extensions are now a primary attack vector.”

 

Source: TheHackerNews

Read more at Impreza News

You might also like
CyberSecurity, Google, News
CyberSecurity, Google, News

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.