Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Malicious Chrome extensions hijack affiliate links and steal ChatGPT tokens

Malware Activity
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

A cluster of malicious Google Chrome extensions is being used to hijack affiliate links, scrape product data, and steal OpenAI ChatGPT authentication tokens, creating a browser-based access and monetization risk. The scope includes 29 e-commerce add-ons distributed through the Chrome Web Store and a separate set of ChatGPT-themed extensions. The activity also routes scraped data to app.10xprofit[.]io and uses browser trust to persist inside everyday workflows.

Related Happenings

Chrome extension PUP distribution network with fake organic traffic

Malware Activity
H score18 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...

Open Happening

Openew[.]app cloaked malware download portal

Malware Activity
H score26 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...

Open Happening

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
H score38 First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
H score11 First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

ShieldGuard browser-extension data-harvesting malware

Malware Activity
H score29 First: 18.03.2026 16:15 Last: 18.03.2026 16:15 Sources 1

About this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...

Open Happening

Timeline

  2. 30.01.2026 15:42 2 articles · 4mo ago

    Researchers disclose Chrome extensions that hijack affiliate links and steal ChatGPT tokens

    Initial Disclosure

    On January 30, 2026, researchers disclosed malicious Google Chrome extensions that hijack affiliate links, scrape product data, and collect OpenAI ChatGPT authentication tokens. The findings covered a 29-extension e-commerce cluster led by Amazon Ads Blocker, which injects the developer tag '10xprofit-20' into Amazon product links, replaces existing affiliate codes, and exfiltrates product data to app.10xprofit[.]io, as well as a separate 16-add-on 'ChatGPT Mods' campaign that injects content scripts into chatgpt[.]com to steal authentication tokens.

    Show sources
    Open in new tab