“Save image as Type,” a popular Chrome extension featured by Google and with over one million downloads, silently changed ownership and was updated with malicious code to steal affiliate commissions from hundreds of merchants, XDA reports.
Legitimate affiliates might not be getting their honestly earned commissions due to malicious Chrome extensions overwriting cookies.
Google has flagged the “Save image as Type” extension, disabling it for over a million users. The landing page on the Chrome Web Store currently says “this item is not available.”
Initially, the simple tool offered the option to save images in a different format than the original: PNG, JPG, or WebP.
Adam Conway, Lead Technical Editor at XDA, who was a user of the extension, discovered that in 2025, it was covertly updated with malicious code.
“What I found was an affiliate fraud operation that had been running on my browser for months, injecting hidden iframes into practically every page I visited to stuff affiliate cookies from over a thousand different merchants,” Conway said.
According to the author, the code was cleverly disguised to evade detection and only activated after the user had saved at least 10 images. The malicious extension kept hidden iframes for 8.5 seconds, then removed them, and also avoided running on developer-oriented pages, where it could be more easily detected.
Conway found nearly 600 unique affiliate redirect URLs saved on the computer, all pointing to an affiliate redirect service called karmanow.
“After what I've seen in this extension's code, I'll personally be a lot more skeptical of utility extensions in general going forward,” the editor said.
This extension isn’t an isolated case. Security researcher Wladimir Palant previously detailed a broader campaign of malicious Chrome extensions performing affiliate fraud, linking 12 compromised extensions to Israeli company Karma Shopping Ltd.
While overwriting cookies may not seem like a big threat, it can be used to track browsing and shopping habits and hurt legitimate reviewers, bloggers, creators, and other small affiliates who depend on honest commissions. Similar deceptive practices were employed by legitimate extensions.
However, extensions can also be updated with any other malicious code to deliver far more damaging payloads, which, if undetected, might lead to a complete system compromise.
Researchers have demonstrated that extensions with no additional permissions can modify all downloaded files to append commands that deliver malware.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked