For years, I relied on a simple Chrome extension called “Save image as Type.” It was a lifesaver, effortlessly converting WebP images to more manageable JPEGs and PNGs. As someone constantly working with visuals, it streamlined my workflow, a quiet utility I barely thought twice about.
That peace of mind shattered with a disturbing revelation: this helpful tool, along with others like it, had been secretly sold to malicious actors. These weren’t just minor updates; they were calculated takeovers, transforming trusted extensions into instruments of deception.
The core of the scheme involved hijacking affiliate links. Every time a user clicked a link to an online store, the extension subtly replaced the legitimate affiliate code with its own, diverting commission payments to the new owner. It’s a practice eerily similar to one recently exposed involving a well-known company, but this was happening silently, behind the scenes.
The takeover of “Save image as Type” occurred sometime in November of the previous year, after it had already amassed over a million users and earned a coveted “Featured” badge from Google. But the compromise may have begun even earlier, with researchers documenting this pattern of malicious extension acquisitions months before.
Microsoft acted swiftly, removing the extension from its Edge browser gallery in early 2025. Google, however, remained slow to respond. It wasn’t until over a year later that the extension vanished from the Chrome Web Store, replaced with a simple “This item is not available” message. Even then, the removal rippled through other Chromium-based browsers, unexpectedly deleting it from my own system.
A degree of responsibility falls on users, of course. We *should* meticulously examine every software update. But let’s be realistic: most of us aren’t developers equipped to dissect code and decipher updated terms of service. We inherently trust platforms like the Chrome Web Store to provide a baseline level of security.
This isn’t an isolated incident. The tactic of acquiring and weaponizing popular browser extensions is proving remarkably effective for scammers. Google appears to be reacting to these threats, rather than proactively preventing them, lagging behind even smaller platforms like Microsoft’s Edge.
The situation feels particularly ironic given Google’s recent implementation of Manifest V3, a system ostensibly designed to enhance user security. Allowing a malicious extension to remain active for so long casts a long shadow over that commitment, raising serious questions about the true level of protection offered.
This experience serves as a stark reminder: the digital tools we rely on daily aren’t always what they seem. Vigilance is crucial, but ultimately, the responsibility for maintaining a safe online environment rests with the platforms themselves.