Google has removed the widely-used Chrome extension “Save Image as Type” after security researchers discovered it had been compromised and was redirecting user traffic for affiliate commission fraud. The extension, which boasted over a million users, was silently hijacked by a group known as Karma, raising concerns about the security of browser extensions and the potential for malicious actors to exploit trusted tools.
The compromise occurred between November 13 and November 29, 2025, according to reports from XDA Developers. Karma reportedly purchased the extension from its original developer and subsequently injected malicious code designed to intercept purchases made through popular online retailers like Amazon, Adidas, and Shein. This allowed the attackers to earn affiliate commissions on transactions made by unsuspecting users, effectively stealing revenue from legitimate sources. The incident underscores a growing trend of malicious actors acquiring existing extensions rather than developing new ones, leveraging established trust to carry out fraudulent schemes.
How the Hijack Worked: Silent Redirection
The injected code operated discreetly in the background, altering user sessions without any visible indication of tampering within the browser. Users browsing and making purchases on supported retail sites unknowingly had their transactions attributed to Karma’s affiliate accounts. This subtle redirection made the malicious activity difficult to detect, as the extension continued to function normally as an image conversion tool. Security researcher Wladimir Palant, who has been tracking Karma’s activities, noted the group’s preference for acquiring existing extensions and adding malicious payloads, rather than creating new malware from scratch. This approach allows them to bypass initial security checks and exploit the established reputation of the compromised tool.
Karma: A Growing Threat to Chrome Extension Security
The group behind the hijack, known as Karma, has been linked to numerous other compromised Chrome extensions, according to Palant’s research. Their strategy involves identifying and purchasing existing, trusted extensions from their original developers, then injecting malicious code after the acquisition. This method allows them to quickly deploy fraudulent schemes across a wide user base. Notably, in 2025, a separate image-conversion extension was removed from the Microsoft Edge browser after being flagged as malware, though it was developed by a different entity and did not utilize the same malicious code as the “Save Image as Type” extension. Microsoft Edge’s removal of a similar extension highlights the broader vulnerability of browser extension ecosystems.
The Affiliate Fraud Scheme Explained
Affiliate marketing is a legitimate online advertising practice where businesses reward affiliates for driving traffic or sales. However, malicious actors like Karma exploit this system by fraudulently generating commissions. In this case, the hijacked extension silently redirected users to affiliate links, ensuring that Karma received a commission on purchases made, even though they did not legitimately earn it. This type of affiliate fraud not only harms retailers but also undermines the integrity of the affiliate marketing industry as a whole. The scale of the fraud is difficult to quantify, as Google has not released specific figures on the number of affected users or the total amount of illicit commissions earned by Karma.
What Users Should Do Now
If you have used the “Save Image as Type” extension since November 2025, it is strongly recommended that you uninstall it immediately, even if Google has already disabled it for you. XDA Developers has published instructions on how to check your system for any remaining traces of the compromised extension. XDA Developers’ guide to checking for traces of the compromised extension provides detailed steps for identifying and removing any lingering malicious code. Even as Google took action to remove the extension in early March 2026, the harmful version may have been active for several weeks prior to its removal, potentially exposing a significant number of users to the affiliate fraud scheme.
This incident serves as a stark reminder of the risks associated with browser extensions. While extensions can enhance functionality and improve the user experience, they also represent a potential security vulnerability. Users should exercise caution when installing extensions, carefully reviewing the permissions requested and researching the developer’s reputation. Regularly reviewing and removing unused extensions can also help minimize the risk of compromise.
Protecting Yourself from Malicious Extensions
Beyond uninstalling the compromised extension, several steps can be taken to protect yourself from similar threats. Keep your browser updated to the latest version, as updates often include security patches that address known vulnerabilities. Enable two-factor authentication on your Google account to add an extra layer of security. Be wary of extensions that request excessive permissions, and only install extensions from trusted sources. Consider using a reputable antivirus program that includes browser extension scanning capabilities. Finally, regularly review the extensions installed on your browser and remove any that you no longer use or recognize.
The “Save Image as Type” hijack is not an isolated incident. The increasing sophistication of malicious actors and the growing popularity of browser extensions create a fertile ground for fraud and exploitation. Google and other browser developers are continually working to improve extension security, but users must also play an active role in protecting themselves. Staying informed about the latest threats and adopting proactive security measures are essential for navigating the evolving landscape of online security.
Google has not yet released a comprehensive statement detailing the full extent of the compromise or the steps being taken to prevent similar incidents in the future. However, the company is expected to provide further updates as the investigation progresses. Users are encouraged to monitor Google’s security blog and other official channels for the latest information.
The next step in this unfolding story will likely be further analysis of Karma’s activities and the identification of any other compromised extensions. Security researchers are actively investigating the group’s network and attempting to determine the full scope of their operations. As more information becomes available, it will be crucial for users to remain vigilant and take appropriate steps to protect their online security.
Have you been affected by the “Save Image as Type” extension hijack? Share your experiences and concerns in the comments below. And please, share this article with your friends and family to help raise awareness about the risks associated with browser extensions.