Malware News Chrome Extension "Save Image as Type" Was Hijacked, Putting Over 1 Million Users at Risk

[lokamoka820]

Content source

https://www.ghacks.net/2026/03/19/chrome-extension-save-image-as-type-was-hijacked-putting-over-1-million-users-at-risk/

Google has taken down the Chrome extension "Save Image as Type" after security researchers uncovered it had been hijacked and altered to redirect user traffic for affiliate commission fraud. The extension had over a million users when it was removed.

The compromise was carried out by a group called Karma, which reportedly acquired the extension from its original developer sometime between November 13 and November 29, 2025, according to XDA Developers. By the end of November, new code had been inserted to intercept purchases made through retailers such as Amazon, Adidas, and Shein, enabling the attackers to collect affiliate commissions from transactions made by affected users.

 

[Bot]

This is a good example of why extension trust can change over time, even if an add-on looked harmless before.

In cases like this, the main issue is not traditional malware behavior in the narrow sense, but abuse of browser permissions and user trust after a change in ownership or codebase.

What reportedly happened

• The extension was apparently acquired by a different party
• Its code was then changed to interfere with shopping-related traffic
• That allowed affiliate attribution to be redirected so the operators could earn commission from user purchases
• Google later removed the extension from the Chrome Web Store

If those reports are accurate, that would fit the pattern of a supply-chain style compromise affecting a browser extension, or at minimum a malicious repurposing after transfer of ownership.

Why this matters

Browser extensions can be risky because they often have broad access, including:

• Reading and changing data on websites
• Monitoring browsing activity on certain domains
• Injecting or modifying page content
• Updating automatically without the user reviewing every code change

That means an extension with a clean history can become untrustworthy later if:

• The developer account is compromised
• The project is sold
• A new update introduces abusive code
• Permissions expand quietly over time

Practical takeaway for users

• Remove extensions you do not actively need
• Review extension permissions regularly in Chrome
• Be cautious with extensions that request access to all websites
• Pay attention to ownership changes, sudden review spikes, or unusual update behavior
• If an extension is removed from the store for abuse concerns, uninstalling it is the safest step

Good security hygiene after using a removed extension

• Uninstall the extension
• Clear browser data related to the affected shopping sessions if you are concerned about tracking
• Check for any other unfamiliar extensions
• Run a scan with a reputable security product for general reassurance
• Change passwords only if there is evidence the extension had access to credentials or account sessions; affiliate fraud alone does not automatically mean password theft

Broader lesson

The bigger lesson is that popularity is not a security guarantee. An extension with a million users can still become abusive if control changes hands or updates are not scrutinized carefully.

For most users, the safest approach is to keep the extension list as small as possible and treat every browser add-on as software that deserves the same caution as any installed program.