Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Google has removed the Chrome extension “Save image as type” after security researchers discovered that it had been hijacked and altered to redirect user traffic for affiliate commission fraud. The extension was over one million users when it was eliminated.
The compromise was carried out by a group called Karma, which reportedly acquired the extension from its original developer sometime between November 13 and November 29, 2025, according to XDA Developers. By the end of November, a new code had been inserted to intercept purchases made through retailers such as Amazon, Adidas and Sheinallowing attackers to collect affiliate commissions for transactions made by affected users.
What the malicious Chrome extension code did
The injected code secretly redirected user traffic in the background, without any obvious sign in the browser. This meant that users browsing and purchasing from supported retail sites had their sessions modified to credit Karma affiliate accounts.
Despite this malicious activity, the extension continued to function normally as an image conversion tool, making it difficult to detect. Google removed the extension in early March 2026, but the harmful version had likely been active for several weeks before being removed.
Who’s Behind the “Save Image As Type” Chrome Extension Trick?
Security researcher Wladimir Palant analyzed Karma’s activities in late 2024 and early 2025, linking the group to numerous Chrome extensions that share similar malicious payloads. Instead of designing new malicious extensions from scratch, Karma often purchases existing trusted extensions from the original developers and then adds malicious code after the purchase.
In 2025, a different image conversion extension was removed from Microsoft Edge after being flagged as malware. XDA notes that this one came from a different developer and did not contain the same malicious code.
What Affected Chrome Users Should Do After “Save Image As Type” Hijack
If you have the “Save Image As Type” extension installed since November 2025, it is recommended that you uninstall it immediately, unless Google has already disabled it. XDA Developers has shared instructions on how to check if the compromised extension left any traces on your system.
Google has not confirmed how many users were actually affected during the weeks that the malicious extension was active.
