CYBERSECURITY researchers have uncovered a cluster of malicious Google Chrome extensions designed to hijack affiliate links, siphon data and capture OpenAI ChatGPT authentication tokens. At the centre is Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), uploaded by a publisher named “10Xprofit” on 19 January 2026, which quietly injects the developer’s affiliate tag into every Amazon product link and replaces existing codes from content creators.
The extension is part of a larger family of 29 add‑ons targeting Amazon, AliExpress, Best Buy, Shein, Shopify and Walmart, with affiliates being altered or appended where none exist.
The findings note that a network of 16 extensions can intercept ChatGPT tokens by injecting a script into chatgpt[.]com, and that these tools were downloaded about 900 times, according to LayerX; as of 27 January 2025 the Stanley malware‑as‑a‑service kit had vanished from the scene but could reappear later, according to Varonis researcher Daniel Kelley.
Socket security researcher Kush Pandya warned that the disclosure‑driven deception of “coupon/deal” extensions masks ad blocking and affiliate injection, and Natalie Zargarov emphasised that possession of tokens provides account‑level access to ChatGPT, allowing impersonation of users across conversations and data.
The report also highlights Chrome Web Store policy breaches for affiliate disclosures and user action before injections, and it cautions that such extensions, due to their elevated browser context, present a lucrative attack vector for threat actors.