The Digital Deception: How Malicious Chrome Extensions Hijack Your Links and Data
In an alarming discovery, cybersecurity researchers have unveiled a sophisticated network of Google Chrome extensions designed not just to enhance your browsing experience, but to surreptitiously hijack affiliate links, steal sensitive data, and even pilfer your OpenAI ChatGPT authentication tokens. This elaborate scheme highlights the hidden dangers lurking within seemingly innocuous browser add-ons.
Unmasking the “10Xprofit” Network
At the heart of this digital deception lies a publisher operating under the moniker “10Xprofit.” One prominent example identified by Socket security researcher Kush Pandya is “Amazon Ads Blocker” (ID: pnpchphmplpdimbllknjoiopmfphellj). Uploaded to the Chrome Web Store on January 19, 2026, this extension promises to deliver an ad-free Amazon browsing experience. While it does fulfill this advertised function, its true, nefarious purpose operates in the background.
Pandya revealed, “The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer’s affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators.” This means that genuine content creators, who rely on affiliate commissions, are unknowingly stripped of their earnings, which are then rerouted to the malicious developer.
A Web of 29 Malicious Add-ons
Further investigation has exposed “Amazon Ads Blocker” as merely one cog in a much larger machine. A sprawling cluster of 29 browser add-ons, all linked to the same malicious operation, targets a wide array of popular e-commerce platforms, including AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. These extensions, masquerading as useful tools like invoice generators, price trackers, and image search utilities, are all engineered to exploit the affiliate marketing ecosystem.
The extensive list of identified extensions includes:
- AliExpress Invoice Generator (FREE) – AliInvoice™️ (10+ Templates)
AliExpress Price Tracker – Price History & Alerts
- AliExpress Quick Currency & Price Converter
- AliExpress Deals Countdown – Flash Sale Timer
- 10Xprofit – Amazon Seller Tools (FBA & FBM)
- Amazon Ads Blocker
- Amazon ASIN Lookup 10xprofit
- Amazon Search Suggestion
- Amazon Product Scraper 10xprofit
- Amazon Quick Brand Search
- Amazon Stock Checker 999
- Amazon Price History Saver
- Amazon ASIN Copy
- Amazon Keyword Cloud Generator
- Amazon Image Downloader
- Amazon Negative Review Hider
- Amazon Listing Score Checker
- Amazon Keyword Density Searcher
- Amazon Sticky Notes
- Amazon Result Numbering
- Amazon Profit Calculator Lite
- Amazon Weight Converter
- Amazon BSR Fast View
- Amazon Character Count & Seller Tools
- Amazon Global Price Checker
- BestBuy Search By Image
- SHEIN Search By Image
- Shopify Search By Image
- Walmart Search By Image
The Mechanics of Deception: Affiliate Hijacking and Data Exfiltration
The core mechanism behind the affiliate hijacking is deceptively simple yet highly effective. The malicious code embedded within these extensions continuously scans Amazon product URL patterns for any existing affiliate tags. Without requiring any user interaction, it then replaces these legitimate tags with “10xprofit-20” (or “_c3pFXV63” for AliExpress). If a URL lacks an affiliate tag, the attacker’s tag is simply appended, ensuring a commission for every click.
Beyond redirecting commissions, these extensions also engage in more sinister activities. They are programmed to scrape product data and exfiltrate it to a command-and-control server located at “app.10xprofit[.]io.” Furthermore, some AliExpress-focused extensions deploy bogus “LIMITED TIME DEAL” countdown timers on product pages, creating a false sense of urgency to pressure users into hasty purchases.
Breaching Trust and Policy: Google’s Stance
Socket’s analysis revealed that the extension listings on the Chrome Web Store contained misleading disclosures. Developers falsely claimed to earn a “small commission” only when users actively utilized a coupon code. This stands in stark contrast to the actual, automatic link modification occurring in the background.
Such practices constitute a clear violation of Chrome Web Store policies, which mandate that extensions using affiliate links must:
- Accurately disclose how the program operates.
- Require explicit user action before each affiliate injection.
- Never replace existing, legitimate affiliate codes.
Kush Pandya elaborated on these breaches, stating, “The disclosure describes a coupon/deal extension with user-triggered reveals. The actual product is an ad blocker with automatic link modification. This mismatch between disclosure and implementation creates false consent.” He further added, “The extension also violates the Single Purpose policy by combining two unrelated functions (ad blocking and affiliate injection) that should be separate extensions.”
Protecting Your Digital Footprint
The proliferation of such sophisticated malicious extensions underscores the critical need for vigilance. Users are urged to exercise extreme caution when installing browser add-ons, even those that appear to offer beneficial services. Always scrutinize developer information, review permissions requested by extensions, and be wary of tools that combine multiple, unrelated functionalities. By staying informed and cautious, users can better protect their digital transactions and personal data from these evolving threats.
For more details, visit our website.
Source: Link
