Affiliate-hijacking shopping extensions and ChatGPT token theft: three clusters in one wave

A single industry roundup tied together several extension problems observed around early 2026: affiliate fraud on shopping sites, classic stealer-style add-ons, and ChatGPT session token interception. Treating them separately helps—you can have one bad extension without the others—but they share one theme: the browser is the delivery channel, and trust in the store listing is often misplaced.

Cluster 1: “Helpful” shopping tools that rewrite affiliate links

Socket researcher Kush Pandya highlighted Amazon Ads Blocker (publisher 10Xprofit) as an example that did block ads but also silently rewrote Amazon (and related) product URLs to inject or replace affiliate tags—e.g. 10xprofit-20 on Amazon and a separate tag pattern on AliExpress—without per-click consent.

The same research associated roughly 29 storefront listings across Amazon, AliExpress, Best Buy, Shein, Shopify, Walmart, and similar—often seller utilities, scrapers, or search-by-image helpers. Coverage noted product data sent to app.10xprofit.io and pressure tactics such as bogus “limited time” countdowns on some AliExpress pages.

Policy angle: Chrome Web Store rules expect clear disclosure, user action before affiliate changes, and no replacing someone else’s existing affiliate code. Socket argued the listing text (coupon / deal framing) did not match what the code did—automatic injection from an ad blocker—which also strains single-purpose expectations.

Cluster 2: Symantec’s four high-install “utility” extensions

Symantec (Yuanjing Guo, Tommy Dong) flagged four add-ons with a combined six-figure user count, including behaviors such as clipboard exfiltration to a remote domain, cookie theft and arbitrary script from a server, search hijacking, and a known XSS class issue in a chart widget path. The through-line is remote control of sensitive browser surfaces—not affiliate tricks.

Cluster 3: “ChatGPT Mods” and session tokens

LayerX described about 16 ChatGPT-themed extensions (mostly Chrome, one Edge) with ~900 total downloads—shared code, icons, and copy—that injected into chatgpt.com to capture authentication tokens. Researcher Natalie Zargarov explained that valid tokens can approximate full account access to chats and metadata, enabling impersonation without guessing a password.

Sidebar: “Stanley” and store evasion claims

The same article mentioned a malware-as-a-service kit (Stanley) marketed to build store-passing malicious extensions with iframe overlay phishing on sensitive sites. Reporting noted the public storefront for the service disappeared after disclosure—tactics may rebrand, but the pattern (benign shell, conditional evil) is the lesson.

What to do

• Remove shopping helpers that modify links unless you read the privacy policy and affiliate disclosure and they match behavior.
• Avoid unofficial “ChatGPT enhancer” packs from unknown publishers; prefer OpenAI’s own surfaces or documented integrations.
• Audit clipboard, search, and “new tab” extensions aggressively—they are high blast radius.
• Enterprise: treat browser extensions as endpoint scope in allow lists and telemetry.

Practical next step

Search chrome://extensions for Amazon, ChatGPT, coupon, or clipboard—uninstall what you cannot tie to a named vendor. eSafe can help you see permissions and risk signals in one place.

Go deeper

Analyze an extension before you install → — permissions, publisher signals, and update history.

Report: The Hacker News.