Full Report
Cybersecurity researchers have discovered malicious Google Chrome extensions that come with capabilities to hijack affiliate links, steal data, and collect OpenAI ChatGPT authentication tokens. One of the extensions in question is Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), which claims to be a tool to browse Amazon without any sponsored content. It was uploaded to the Chrome
Analysis Summary
As a malware analyst and TTPs specialist, here is the summary derived from the provided context regarding the malicious Chrome extensions.
# Tool/Technique: Malicious Google Chrome Extensions (Cluster using "10Xprofit" publisher)
## Overview
This refers to a cluster of malicious Google Chrome browser extensions, identified by researchers, designed to perform affiliate link hijacking, steal sensitive data, and specifically target OpenAI ChatGPT authentication tokens. The primary example highlighted is "Amazon Ads Blocker."
## Technical Details
- Type: Malware/Malicious Software (specifically, compromised legitimate-looking extensions)
- Platform: Google Chrome (Browser extension environment)
- Capabilities: Affiliate link manipulation, data exfiltration (including authentication tokens), hidden functionality.
- First Seen: January 19, 2026 (Date of upload for "Amazon Ads Blocker")
## MITRE ATT&CK Mapping
The observed behavior primarily maps to data theft and unauthorized modification within the user's browsing session.
- **TA0005 - Defense Evasion**
- T1216 - Drive-by Compromise (Leveraging trust in the Chrome Web Store)
- **TA0009 - Collection**
- T1005 - Data from Local System (Implied, for token harvesting)
- **TA0010 - Exfiltration**
- T1567 - Exfiltration Over Web Service (Tokens or stolen data sent to attacker C2)
- **TA0007 - Credential Access**
- T1555.003 - Credentials from Web Browsers (Focus on ChatGPT authentication tokens)
## Functionality
### Core Capabilities
- **Affiliate Link Hijacking:** Automatically scans Amazon product URL patterns for existing affiliate tags and replaces them with the attacker's tag (`10xprofit-20` for Amazon, `_c3pFXV63` for AliExpress).
- **Affiliate Link Insertion:** Appends the attacker's affiliate tag if no existing tag is found on a URL.
- **Misleading Disclosure:** The extension listing claims developers earn a "small commission" from coupon code usage, hiding the primary malicious function.
### Advanced Features
- **Data Theft/Token Harvesting:** Claims to steal data, specifically mentioning the collection of OpenAI ChatGPT authentication tokens.
- **Broad E-commerce Targeting:** The cluster includes 29 add-ons targeting platforms beyond Amazon, including AliExpress, Best Buy, Shein, Shopify, and Walmart, often utilizing "Search By Image" features.
## Indicators of Compromise
- **File Hashes:** Not provided in the context.
- **File Names:** Not provided, identified primarily by Extension ID.
- **Registry Keys:** Not applicable (Browser extension context).
- **Network Indicators:** None explicitly listed as defanged C2 domains/IPs; the communication would involve sending stolen tokens/data off-platform.
- **Behavioral Indicators:**
- Modification of outgoing/observed URLs being navigated to or sharing product links.
- Reading and exfiltrating session/authentication data related to ChatGPT.
## Associated Threat Actors
- The publisher is identified as **"10Xprofit"**. No formal APT group designation is available based solely on this context.
## Detection Methods
- **Signature-based detection:** Detection rules targeting the specific extension IDs or hardcoded affiliate tags (`10xprofit-20`).
- **Behavioral detection:** Monitoring extension activity for URL modification or unauthorized API calls related to session storage/token access.
- **YARA rules:** Not available based on the context.
## Mitigation Strategies
- **Prevention measures:** Install extensions only from trusted sources and verify publisher reputation.
- **Hardening recommendations:** Regularly audit installed browser extensions. Check permission requests carefully before installation. Monitor network traffic originating from browser process activities for unusual outbound data transfers.
## Related Tools/Techniques
- Other malicious extensions in the cluster, including:
- AliExpress Invoice Generator (FREE) - AliInvoice™️ (10+ Templates)
- BestBuy Search By Image
- Shopify Search By Image