Quote:Google has taken down the Chrome extension "Save Image as Type" after security researchers uncovered it had been hijacked and altered to redirect user traffic for affiliate commission fraud. The extension had over a million users when it was removed.

The compromise was carried out by a group called Karma, which reportedly acquired the extension from its original developer sometime between November 13 and November 29, 2025, according to XDA Developers. By the end of November, new code had been inserted to intercept purchases made through retailers such as Amazon, Adidas, and Shein, enabling the attackers to collect affiliate commissions from transactions made by affected users.

What the Malicious Chrome Extension Code Did



The injected code secretly redirected user traffic in the background, without any obvious signs in the browser. This meant that users browsing and buying from supported retail sites had their sessions altered to credit Karma's affiliate accounts.

Despite this malicious activity, the extension continued to function normally as an image conversion tool, making it difficult to detect. Google took down the extension earlier in March 2026, but the harmful version had probably been active for several weeks before it was removed.

Continue Reading...