Threat Research

Malicious Chrome Extension Performs Hidden Affiliate Hijacking

SocketDev
Malicious Chrome Extension Performs Hidden Affiliate Hijacking

Socket’s Threat Research Team found that the Chrome extension “Amazon Ads Blocker” hides sponsored listings as advertised but secretly injects and replaces affiliate tags with the developer’s tag (10xprofit-20) on every Amazon product link. The extension’s Chrome Web Store disclosure is misleading and violates Google’s June 2025 affiliate policy by performing automatic, non-consensual tag replacement without providing direct user benefit or required user action. #AmazonAdsBlocker #10xprofit-20

Keypoints

  • The extension advertises ad-blocking functionality and uses CSS to hide sponsored Amazon product blocks while requesting storage and access to 23 Amazon domains.
  • Hidden code in content.js (initAffiliateLinker) rewrites all Amazon product links to append or replace affiliate tags with “10xprofit-20”.
  • A MutationObserver monitors DOM changes and re-applies affiliate tags on dynamic content (infinite scroll/AJAX), making the behavior persistent and automatic.
  • The Chrome Web Store disclosure describes a coupon/deal workflow requiring user action, but the implementation injects tags automatically and replaces existing creator tags, creating a disclosure mismatch and false consent.
  • Content creators lose Amazon Associates commissions (typically 1–10%) when their tags are replaced; the extension developer passively accumulates those commissions while users receive no affiliate-related benefit.
  • IOCs include extension name/ID, affiliate tag, uninstall URL, and developer contact; recommended actions: uninstall, review installed extensions, report mismatches to the Chrome Web Store, and monitor for similar extensions.

MITRE Techniques

  • [T1176.001 ] Browser Extensions – The malicious behavior is implemented as a Chrome extension that modifies page links and UI; (‘Socket’s Threat Research Team identified a malicious Chrome extension Amazon Ads Blocker…’).
  • [T1059.007 ] JavaScript Execution – JavaScript in content.js executes functions that parse and rewrite URLs and uses a MutationObserver to reapply changes on DOM updates; (‘function initAffiliateLinker() { … params.set(‘tag’, AFFILIATE_TAG); … }’ and the MutationObserver re-injects affiliate tags whenever new content loads’).
  • [T1657 ] Financial Theft – The extension hijacks affiliate commissions by replacing or appending the developer’s affiliate tag to product links, diverting creators’ revenue; (‘it automatically injects the developer’s affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes’).

Indicators of Compromise

  • [Chrome Extension Name ] malicious extension – Amazon Ads Blocker
  • [Extension ID ] Chrome Web Store identifier – pnpchphmplpdimbllknjoiopmfphellj
  • [Version ] extension release – 3.0.1
  • [Affiliate Tag ] injected affiliate parameter – 10xprofit-20
  • [Threat Actor ] developer handle – 10Xprofit (Chrome handle)
  • [Registered Email ] developer contact – 10xprofitio@gmail[.]com
  • [Uninstall URL ] tracking/re-engagement link – https://10xprofit[.]io/tools/?utm_source=chrome-extension

Read more: https://socket.dev/blog/malicious-chrome-extension-performs-hidden-affiliate-hijacking