What happened
Socket researchers uncovered multiple malicious Chrome extensions that abused affiliate links and exfiltrated user data. Some extensions replaced existing affiliate codes with attacker-controlled links, while others injected scripts into ChatGPT pages to steal authentication tokens. The extensions appeared legitimate in the Chrome Web Store, attracting installs before hidden behaviors were identified.
Who is affected
Users who installed the malicious extensions were affected through affiliate fraud, data exfiltration, and session hijacking.
Why CISOs should care
Browser extensions remain a high-risk vector for credential theft and data misuse in enterprise environments.
3 practical actions
- Audit browser extensions. Remove unverified or unnecessary add-ons.
- Monitor token handling. Restrict browser-based storage of sensitive tokens.
- Inspect affiliate behavior. Detect unauthorized URL modifications.