Google has taken down the Chrome extension “Save Image as Type” after security researchers uncovered it had been hijacked and altered to redirect user traffic for affiliate commission fraud. The extension had over a million users when it was removed.
The compromise was carried out by a group called Karma, which reportedly acquired the extension from its original developer sometime between November 13 and November 29, 2025, according to XDA Developers. By the end of November, new code had been inserted to intercept purchases made through retailers such as Amazon, Adidas, and Shein, enabling the attackers to collect affiliate commissions from transactions made by affected users.
What the Malicious Chrome Extension Code Did
The injected code secretly redirected user traffic in the background, without any obvious signs in the browser. This meant that users browsing and buying from supported retail sites had their sessions altered to credit Karma’s affiliate accounts.
Despite this malicious activity, the extension continued to function normally as an image conversion tool, making it difficult to detect. Google took down the extension earlier in March 2026, but the harmful version had probably been active for several weeks before it was removed.
Who Is Behind the “Save Image as Type” Chrome Extension Hack
Security researcher Wladimir Palant analyzed Karma’s activities toward the end of 2024 and the beginning of 2025, linking the group to numerous Chrome extensions that share similar malicious payloads. Instead of designing new malicious extensions from scratch, Karma often buys existing, trusted extensions from the original developers and then adds malicious code after purchase.
In 2025, a different image-conversion extension was removed from Microsoft Edge after being flagged as malware. XDA notes that this one came from a different developer and didn’t contain the same malicious code.
What Affected Chrome Users Should Do After the “Save Image as Type” Hijack
If you’ve had the “Save Image as Type” extension installed since November 2025, it’s recommended that you uninstall it right away unless Google has already disabled it for you. XDA Developers has shared instructions on how to check if the compromised extension left any traces on your system.
Google hasn’t confirmed how many users were actually affected during the weeks the malicious extension was active.
Thank you for being a Ghacks reader. The post Chrome Extension "Save Image as Type" Was Hijacked, Putting Over 1 Million Users at Risk appeared first on gHacks.
