A hot potato: Chrome users who have saved scores of images using the popular "Save Image as Type" extension since last November should uninstall the tool immediately if it has not already been disabled. Security researchers recently found that the extension's new owners had inserted malicious code designed to siphon affiliate commissions.
Google delisted the image conversion tool earlier this month, but not before it had likely been modifying thousands of users' browsers for several weeks. The group behind the compromise has also been linked to dozens of other hijacked Chrome and Edge extensions.
Browser extensions remain an attractive target for malicious actors. Google and other browser makers regularly purge large batches of add-ons that promise features such as ad blocking, downloading YouTube videos, or free VPNs, only to quietly deliver something far less benign.
In this case, the attack focused on a feature that has become increasingly relevant as WebP adoption has grown. Most websites now rely on modern image formats like WebP or AVIF to speed up load times and reduce bandwidth usage, since these formats can match the visual quality of JPEG or PNG while using smaller file sizes.
The problem is that WebP still lacks broad support across many popular apps outside the browser, making it less practical for local use. To work around that limitation, users often turn to browser extensions that automatically convert images into more widely compatible formats.
Rather than distributing brand-new malicious extensions, attackers are increasingly taking over ones that people already trust. Some groups exploit vulnerabilities to hijack developer accounts, but the actors behind "Save Image as Type," known as Karma, appear to have taken a simpler route by purchasing the extension outright from the original developer.
According to XDA Developers, the extension changed hands sometime between November 13 and November 29. By the end of that month, new code had been introduced to redirect user traffic, allowing the attackers to collect commissions on purchases made through retailers such as Amazon, Adidas, and Shein.
Security researcher Wladimir Palant documented Karma's activity in late 2024 and early 2025, linking the group to numerous Chrome extensions carrying similar payloads. While Microsoft also removed an image conversion extension from Edge in 2025 after flagging it as malware, XDA notes that it came from a different developer and did not contain the same malicious code.
Users concerned they might be impacted should uninstall the extension and seek an alternative. XDA has also published steps to help determine whether the compromised extension left traces behind on a system.