Google removed the Save‑image‑as‑Type Chrome extension in March 2026, after a 2024 ownership change introduced hidden code that hijacked affiliate commissions from one million Chrome users across 578 retail sites.

How the attack worked. The malicious developer added an inject.js script that contacted an external server on every page load. The script downloaded a list of merchant URLs, then performed affiliate link hijacking—replacing the original affiliate code with the attacker's ID at checkout. It relied on cookie stuffing, a technique that plants tracking cookies via hidden iframes, then cleared those cookies after about 8.5 seconds. Commission payouts were redirected to the attacker's server instead of legitimate publishers.

Timeline of the breach. Microsoft blocked the same code on Edge by December 2024, but Chrome kept the extension live until the March 2026 takedown. Security researchers confirmed the removal and documented the code swapping links in real time. The script targeted major retailers and niche platforms alike, siphoning revenue for more than a year.

What users should do now. Remove the extension from Chrome, clear cookies for e‑commerce sites, scan the browser for unexpected extensions, review permission flags, and run a malware scan. Enterprises should audit extension inventories for ownership changes and monitor network traffic for unknown affiliate server calls.

Why this matters beyond one extension. Security experts warn that similar ownership‑change attacks are rising across the Chrome Web Store. Affiliate‑fraud schemes scale fast when developers acquire trusted extensions and inject revenue‑siphoning code. Staying vigilant can stop these attacks before they spread to more storefronts and more users.