For years, Save Image as Type was one of the most trusted utilities in the Chrome Web Store. With a single right-click, it let users save any image on the web as a PNG, JPG, or WebP file — a small but genuinely useful capability that earned it over a million installs and a coveted “Featured” badge from Google. Nobody noticed it had turned hostile.

In mid-March 2026, Google disabled the extension across all installed browsers and removed it from the Chrome Web Store. Users who had it installed saw an abrupt browser warning informing them the add-on contained malware. The extension’s store page now simply states: “this item is not available.”

What the Extension Was Actually Doing

Security researcher and XDA Lead Technical Editor Adam Conway first noticed something wrong when routine analysis of his own browser revealed unexpected network activity. Digging into the extension’s code, he uncovered an affiliate fraud operation he described as having been running on his browser for months.

The technique — known as cookie stuffing — is a form of affiliate fraud. The malicious inject.js script, weighing in at 428 KB, was injected into every HTTP and HTTPS page the user visited. It silently loaded hidden iframes from shopping sites like Amazon and Best Buy, planting affiliate tracking cookies in the user’s browser without any interaction. When the user later made a purchase at one of those retailers, the extension’s operator would receive a commission — credit for a sale they had nothing to do with facilitating.

The scheme closely mirrors the controversy that engulfed the Honey browser extension in late 2024, where a similar cookie-stuffing operation was found to be hijacking affiliate commissions from content creators and legitimate affiliate partners. In this case, the operation reportedly affected close to 600 unique affiliate redirect URLs, with the actual scope potentially broader.

Notably, the malicious code was designed to avoid easy detection: it only triggered after the user had saved at least ten images using the extension, ensuring casual reviewers or automated scanners would find nothing suspicious in quick tests.

A Classic “Bait and Switch” After Ownership Transfer

The original extension — version 1.2.3, dating back to May 2023 — was completely clean. It had no content scripts, no webpage injection, and no storage permissions beyond what was needed for its core function. The background script was a lean 5.9 KB.

That changed in late November 2025. Analysis of Chrome Web Store metadata shows that sometime between November 13th and November 29th, 2025, the extension’s listed owner changed from the original developer identity (“Image4Tools”) to an account named “laurenbridgecool.” Around the same time, the extension’s GitHub repository was quietly deleted. By version 1.4.6 — released in late 2024 during an earlier, less severe phase — the new 428 KB inject.js had already appeared; the full malicious payload was active on users’ browsers from approximately December 2025 through early 2026.

Conway’s own browser logs showed the payload was most active during the Christmas and New Year period — precisely when online shopping activity peaks — with dozens of injections per day across visited pages during late December 2025.

If the command returns a number rather than null, the extension was active on that site. Importantly, this key persists in localStorage even after the extension is removed — Chrome does not clean up per-origin storage on uninstall. Its presence is harmless once the extension is gone, but it serves as a forensic indicator of past activity.

A Timeline of Failures

The timeline of how this threat was handled — or mishandled — by the browser vendors raises uncomfortable questions about the adequacy of platform oversight.

Google’s Delayed Response Under Scrutiny

The most striking element of this incident is not the malware itself, but the gap in response. Microsoft acted on publicly available research in February 2025. Google did not remove the Chrome version until March 2026 — over a year later — during which time the extension retained its “Featured” designation, meaning Google’s own editorial systems were actively surfacing it as a recommended download.

Google’s Manifest V3 framework, introduced to limit the power of extensions and reduce attack surface, was explicitly designed to prevent the kind of remote code execution these malicious actors rely on. Yet, as Palant documented in January 2025, sophisticated operators had already found ways to circumvent those restrictions. Whether Manifest V3 would have contained this specific payload remains an open question.

Safe Alternatives

Users who relied on Save Image as Type for its core functionality have several well-regarded alternatives that operate within Google’s acceptable use policies:

The Broader Lesson

This incident is part of a wider pattern. Browser extensions occupy a uniquely privileged position: they run inside your browser with access to every page you visit, your cookies, and potentially your credentials. Once installed, they are rarely re-examined. The supply chain problem — where a legitimate extension is acquired by a new owner who then introduces malicious code — is not new, but it remains poorly addressed by platform governance.

The practical takeaway is straightforward: treat browser extension installation with the same scrutiny as any software installation. Audit your extension list periodically. Remove anything you no longer actively use. And when a previously trusted extension begins behaving erratically — unexpected redirects, slow page loads, unusual network activity — remove it immediately and investigate.

The Chrome Web Store’s review process, while improved in recent years, has demonstrated once again that it cannot be relied upon as the sole safeguard. Public security research, cross-browser vendor coordination, and user vigilance remain essential components of a functioning extension ecosystem.