Popular Chrome extension "Save Image as Type" was maliciously taken over, affecting more than one million users

A popular Chrome image format conversion extension "Save Image as Type" with more than one million users was recently revealed to have been taken over by hackers and malicious code was implanted. Security researchers called on relevant users to uninstall the extension immediately. Google removed it earlier this month, but before that, the tool was likely silently tampering with the browser behavior of tens of thousands of users for weeks. Investigations revealed that the group behind the attack was also linked to dozens of hijacked Chrome and Edge extensions.

Under the background that browser extensions have long been a popular target for attackers, this incident once again highlights the security risks of the extension ecosystem. Although major browser manufacturers regularly clean up extensions that pretend to be ad blocking, video downloading or free VPN, but actually contain malicious code, it is still difficult to detect all problems in time. In the case of "Save Image as Type", the attacker targeted a type of function that has become increasingly common with the popularity of new generation image formats such as WebP: one-click conversion of web page images into a more common format for local use.

Currently, in order to speed up loading and save bandwidth, most websites have widely adopted modern image formats such as WebP and AVIF. These formats have smaller file sizes while maintaining image quality close to that of JPEG and PNG. However, WebP still lacks complete support in many commonly used applications outside browsers, causing users to often encounter compatibility issues when processing such images locally. In order to bypass this obstacle, many people will install browser extensions to automatically convert images into traditional formats, which also provides an entry point for attackers.

Rather than developing an unfamiliar malicious extension from scratch, attackers are increasingly taking over existing extensions that already have an established base of user trust. Some groups invade developer accounts through loopholes, but this time the group "Karma" that manipulates "Save Image as Type" seems to have adopted a simpler and more direct approach - acquiring the extension directly from the original author. According to analysis by XDA Developers, the extension changed owners between November 13 and 29 last year, and new code was implanted at the end of that month to redirect user traffic to "earn" affiliate commissions from shopping behavior at Amazon, Adidas, Shein and other retailers.

Security researcher Wladimir Palant documented and analyzed Karma's activities in late 2024 and early 2025 and found that the group was associated with multiple Chrome extensions carrying similar malicious payloads. Microsoft removed an image conversion extension from the Edge store in 2025 and marked it as malware. However, according to XDA, this extension came from a different developer, and no direct code connection with Karma was found.

For users who are worried that they may be affected, security experts recommend uninstalling Save Image as Type immediately and replacing it with other reliable alternatives. XDA also released detection methods to help users confirm whether the compromised extension left residual traces on the system. In the reality that browser extensions have repeatedly become a springboard for attacks, users may need to be more cautious when selecting and retaining extensions for a long time, and pay attention to abnormal signals such as extension ownership and permission changes in a timely manner.