I found 23 Chrome extensions hijacking 758,000 users' searches for affiliate revenue
SearchJack is a campaign involving 23 deceptive Chrome extensions that hijack users' default search engines, silently routing approximately 758,000 users' search queries through operator-controlled affiliate monetization networks. These extensions present various advertised functionalities but primarily serve to generate affiliate revenue without user consent. The campaign involves at least 8 distinct monetization brokers and 22 publishers, many of which anonymize their identities. The extensions often use manifest-only wrappers or runtime obfuscation to evade detection. This activity constitutes a significant privacy violation and poses a security risk as operators could inject malicious content into search results without updating the extension code.
AI Analysis
Technical Summary
SearchJack is a coordinated campaign of 23 Chrome browser extensions that override users' default search engines to route queries through affiliate monetization middleware, affecting about 758,000 users. The extensions advertise diverse features but mainly function to generate affiliate revenue by redirecting searches through at least 8 distinct brokers. The campaign infrastructure relies on Yahoo Hosted Search and similar affiliate programs with weak publisher vetting, allowing anonymous operators to monetize user searches at scale. Some extensions use runtime injection techniques to hide their true behavior from static analysis. The operators anonymize their identities, and individual extension removals are ineffective without addressing the broker infrastructure. This campaign results in privacy violations and creates a potential vector for injecting malicious content into search results.
Potential Impact
The campaign causes a large-scale privacy violation by sending all user search queries to anonymous third-party brokers without consent. It affects approximately 758,000 users globally. Because the operators control the search traffic, they can alter search results dynamically to inject phishing links or malicious downloads without updating the extensions themselves. This elevates the risk from mere adware to a potential security threat capable of delivering harmful content to users. The anonymity of publishers and brokers complicates enforcement and remediation efforts.
Mitigation Recommendations
No official patch or fix is available for these extensions as they are distributed through the Chrome Web Store and rely on affiliate broker infrastructure. Individual extension removal by users can mitigate exposure but is insufficient to disrupt the campaign due to multiple disposable extensions and broker-level persistence. Enforcement actions targeting the affiliate brokers and stricter vetting by extension stores are necessary to fully address the threat. Users should review and remove suspicious or untrusted extensions, and organizations should consider policies restricting extension installation. Monitor vendor advisories and Chrome Web Store policies for updates on enforcement actions.
I found 23 Chrome extensions hijacking 758,000 users' searches for affiliate revenue
Description
SearchJack is a campaign involving 23 deceptive Chrome extensions that hijack users' default search engines, silently routing approximately 758,000 users' search queries through operator-controlled affiliate monetization networks. These extensions present various advertised functionalities but primarily serve to generate affiliate revenue without user consent. The campaign involves at least 8 distinct monetization brokers and 22 publishers, many of which anonymize their identities. The extensions often use manifest-only wrappers or runtime obfuscation to evade detection. This activity constitutes a significant privacy violation and poses a security risk as operators could inject malicious content into search results without updating the extension code.
Reddit Discussion
I scanned Chrome extension manifests for chrome_settings_overrides and found 23 extensions silently routing 758,000 users' searches through hidden monetization networks.
The pattern: install a free extension (satellite imagery, maps, news reader), your default search gets quietly replaced and every query goes through the operator's middleware before reaching a search network, generating affiliate revenue you never consented to.
Key findings:
- 8 distinct brokers behind these extensions. If one extension gets pulled, another goes up under a different name.
- Several extensions have zero functionality beyond the search override
- One extension affirmatively claims "We don't track your searches" while its own privacy policy says otherwise
- One uses runtime declarativeNetRequest injection so the real behavior is invisible to static analysis
The `hspart` parameter in the final search redirect URL is the clustering key. One value maps an entire broker network regardless of extension name, domain, or publisher identity.
Full report: https://malext.io/reports/SearchJack/
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SearchJack is a coordinated campaign of 23 Chrome browser extensions that override users' default search engines to route queries through affiliate monetization middleware, affecting about 758,000 users. The extensions advertise diverse features but mainly function to generate affiliate revenue by redirecting searches through at least 8 distinct brokers. The campaign infrastructure relies on Yahoo Hosted Search and similar affiliate programs with weak publisher vetting, allowing anonymous operators to monetize user searches at scale. Some extensions use runtime injection techniques to hide their true behavior from static analysis. The operators anonymize their identities, and individual extension removals are ineffective without addressing the broker infrastructure. This campaign results in privacy violations and creates a potential vector for injecting malicious content into search results.
Potential Impact
The campaign causes a large-scale privacy violation by sending all user search queries to anonymous third-party brokers without consent. It affects approximately 758,000 users globally. Because the operators control the search traffic, they can alter search results dynamically to inject phishing links or malicious downloads without updating the extensions themselves. This elevates the risk from mere adware to a potential security threat capable of delivering harmful content to users. The anonymity of publishers and brokers complicates enforcement and remediation efforts.
Mitigation Recommendations
No official patch or fix is available for these extensions as they are distributed through the Chrome Web Store and rely on affiliate broker infrastructure. Individual extension removal by users can mitigate exposure but is insufficient to disrupt the campaign due to multiple disposable extensions and broker-level persistence. Enforcement actions targeting the affiliate brokers and stricter vetting by extension stores are necessary to fully address the threat. Users should review and remove suspicious or untrusted extensions, and organizations should consider policies restricting extension installation. Monitor vendor advisories and Chrome Web Store policies for updates on enforcement actions.
Technical Details
- Source Type
- Subreddit
- netsec
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a27e3148dd33fbd85125746
Added to database: 6/9/2026, 9:55:32 AM
Last enriched: 6/9/2026, 9:55:41 AM
Last updated: 6/9/2026, 3:56:54 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.