If you've ever tried to save a WebP image from the internet, you know the pain. You right-click, hit "Save image as," and end up with a .webp file that half your apps can't open. Save Image as Type was one of the most popular Chrome extensions for solving that problem, with over a million users at its peak. Google even featured it in the Chrome Web Store. It did what it said on the tin, letting you right-click any image and save it as a PNG, JPG, or WebP, rather than having to convert it in an external tool. I used it myself.
But Chrome just flagged the extension as malware and disabled it for everyone. I wanted to know if it was a false positive or if there was something genuinely malicious going on, so I pulled apart every version I could find and dug through Chrome's on-disk storage databases to figure out exactly what happened. What I found was an affiliate fraud operation that had been running on my browser for months, injecting hidden iframes into practically every page I visited to stuff affiliate cookies from over a thousand different merchants.
The worst part? Security researchers had publicly documented the network behind it in October 2024, and Microsoft removed the Edge version in February 2025, stating that it was "malware." Meanwhile, Google didn't remove the extension until March 2026, months after it had been running malicious code on over a million browsers.
The extension was clean, until it wasn't
It was still featured on the Chrome Web Store
I managed to get my hands on several versions of Save Image as Type from the last few years in order to figure out when the malicious code was introduced. Version 1.2.3, dating back to May 2023, is completely clean. There's no content script, no injection into web pages, and no storage permission. It's a simple extension that uses Chrome's context menu and an offscreen document to convert and download images. The background script is just 5.9KB.
By version 1.4.6 in late 2024, the extension had grown. A new 428KB content script called inject.js appeared, injected into every HTTP and HTTPS page you visited. It added a storage permission and introduced two key components: an iframe element identified internally as SIAT_WORKER_FRAME and a localStorage throttle key called ldcsv. But in this version, those components were legitimate. The iframe loaded the extension's own offscreen.html page for image conversion, and the ldcsv key was a 24-hour cooldown to prevent creating the iframe too often.
Then came version 1.7.2. The inject.js file ballooned to 1.09MB, and those same two components, the SIAT_WORKER_FRAME iframe and the ldcsv throttle, were repurposed for something entirely different. The iframe no longer loaded an internal page for image conversion. Instead, it loaded URLs provided by a remote server, completely invisible to the user.
Between these versions, the developer had cleverly weaponized the extension's own existing infrastructure, making the changes look less suspicious in a code diff than if they'd added entirely new functionality. However, inspecting the differences between both versions, you can clearly see how the existing code was leveraged to serve a malicious purpose.
How the malware actually works
Behavior controlled remotely
The malicious version of Save Image as Type uses a command-and-control setup, and it's a lot more sophisticated than I expected it to be when I first opened it up.
When you visit a webpage, the extension's content script waits two seconds, then checks a few conditions. First, it checks if you've saved at least 10 images using the extension. If you haven't, it does nothing. This appears to be a deliberate gating mechanism, as it waits until you're invested in the extension before activating the payload. Second, it checks how many images are on the current page, requiring at least 25 on recently checked pages and 155 on others. The logic behind that decision is likely to be that image-heavy pages are less likely to reveal the presence of an extra hidden iframe. It also skips homepages entirely and avoids pages using the Space Mono font, which is commonly found on developer tools and documentation sites.
If all those checks pass, the extension contacts its C2 server at hxxps://www.saveimgastype[.]com/v1/feature-flags. The request includes a "cache buster" parameter calculated as follows:
307 * Math.floor(2e6 * Math.random()) - 16
This is configured to silently accept any HTTP response status, including errors, to avoid throwing exceptions that might appear in the browser console. The server responds with a field called extraImageCondition, which is a name designed to look boring, that actually contains a list of URLs. It appears that this field isn't always present in the returned list, likely done as yet another protective mechanism to minimize the risk of getting caught.
Those URLs all point to an affiliate redirect service called karmanow. The extension takes each URL, creates a full-screen iframe (matching window.innerWidth and window.innerHeight), sets its visibility to hidden, and appends it to the page body. After 8.5 seconds, the iframe is removed and that URL is deleted from the list so it's only loaded once. This is a practice known as cookie stuffing: by loading the affiliate redirect in a hidden iframe, the extension plants affiliate tracking cookies in your browser for hundreds of merchant sites, and it's not too dissimilar to what Honey was accused of. If you later visit any of those merchants and make a purchase, the extension author earns a commission on a sale they had nothing to do with.
The extension stores the C2-provided URL list in chrome.storage.local under a key called SC, but it doesn't store it in plain text. Every value is obfuscated using a simple scheme: reverse the string, shift each character's Unicode code point by +3, and prefix it with "siat" (short for Save Image As Type). The decoding function is just three lines of JavaScript, but it's enough to prevent casual inspection of the storage.
What I found in my own browser
578 affiliate URLs
I wanted to know how bad the damage was on my own machine. Since Chrome had flagged the extension and wouldn't let me re-enable it to inspect its storage through normal means, I went straight to the source: Chrome stores extension data in LevelDB databases on disk. The extension's storage lives in the "Local Extension Settings" in Chrome's storage.
I extracted every string prefixed with "siat" from the .ldb and .log files, ran them through the decoding function, and found 578 unique affiliate redirect URLs, all routing through karmanow. The targets ranged from major retailers like Adidas, Shein, and Amazon to smaller shops spread across dozens of countries. One review of the extension, published on March 6th, stated that they were being redirected from Bestbuy to another site, and had narrowed down the behavior to be caused by this extension. My local database did not contain a Bestbuy URL, which suggests that there may have been more affected sites than what I'm seeing here.
The extension also leaves traces in the browser's per-site localStorage. Every time it injects a hidden iframe on a page, it writes a timestamp to a key called ldcsv in that page's localStorage. I searched Chrome's localStorage database (a separate LevelDB in Chrome's storage) and found ldcsv entries on 134 different sites I had visited. XDA, Reddit, GitHub, Amazon, YouTube, Discord, BBC, Forbes, TikTok, the Wall Street Journal, and basically every other site I had visited in a two month window.
The timestamps told me the payload had been active on my browser from December 12, 2025 through February 10, 2026, roughly two months. The activity was heaviest during the Christmas and New Year period, with dozens of injections per day during late December. On my second Chrome profile, which only has one image saved according to its local storage, the extension never triggered its malicious code.
It's worth noting that the ldcsv key is per-origin, meaning Chrome won't clean it up when you uninstall the extension. If you had this extension installed, those timestamps are likely still sitting in localStorage on sites you visited. You can check by opening DevTools on any site and running localStorage.getItem("ldcsv") in the console. If it returns a number, the extension was active there, but ldcsv's continued existence is harmless once the extension is removed.
The evasion techniques are surprisingly thorough
It even checked the page font
What interested me the most wasn't the cookie stuffing itself, but the effort put into making it hard to detect in the first place.
The extension won't contact the C2 server more than once every 36 hours, and this status is stored in localStorage under the key siatlrx. The iframe injection has its own separate cooldown so that it won't show more than once an hour. As well, every value stored in chrome.storage.local is obfuscated with the character-shifting scheme, and the iframe is removed after 8.5 seconds and each URL is only loaded once, so there's no persistent evidence in the DOM. I was especially surprised to see that the extension skips pages that use developer-oriented fonts, specifically targeting the Space Mono font family, as it's possible someone would be inspecting their browser more closely on one of those pages.
The 10-save activation threshold is particularly clever. It means that anyone testing the extension for a review or security audit would need to actually use it for its intended purpose at least 10 times before the malicious behavior appears. Most testers wouldn't save that many images during an evaluation, especially given how obfuscated the extension's code is.
On top of all that, the extension's UI elements are rendered inside a closed Shadow DOM, preventing the host page's JavaScript from inspecting the extension's injected elements. And the C2 response uses validateStatus: () => true, which means even if the server returns an error, the extension won't throw an exception that might show up in console logs.
This is part of a much bigger operation
It wasn't just this extension
Save Image as Type isn't an isolated case. It's part of a network of compromised extensions that security researcher Wladimir Palant documented in detail in October 2024. In a blog post titled "The Karma connection in Chrome Web Store," Palant traced a group of 12+ extensions, all performing the same affiliate fraud and user tracking, back to Karma Shopping Ltd., which is an Israeli company formerly known as Shoptagr Ltd.
The pattern was consistent across all of them: someone buys a popular extension through an ownership transfer, then injects the malicious code immediately after. Extensions like Hide YouTube Shorts (100,000 users), DarkPDF (40,000 users), and Dynamics 365 Power Pane (70,000 users) were all compromised the same way, and earlier versions of this scheme used kra18[.]com as the C2 server. Some affiliate links produced by that server explicitly mentioned karmanow as the affiliate partner, which is the same domain I found in 578 URLs stored in my browser.
Palant followed up in January 2025 with a second article documenting how these malicious extensions were circumventing Google's Manifest V3 remote code execution ban, finding additional groups like Phoenix Invicta pulling the same kind of tricks. The research was public, detailed, and specific. It named extensions, described their techniques, and provided indicators of compromise.
The Edge version of Save Image as Type (version 1.2.4) was removed from the Edge Add-ons store in February 2025, stating that it had detected malware. We downloaded that version of the extension and analyzed it, and confirmed that the last-published Edge version itself was completely clean. It's identical in structure to the clean Chrome version 1.2.3, with no content scripts, no injection, and no malicious code whatsoever. It's possible that Microsoft may have acted on Palant's research, but it's unlikely given that the original code was clean.
The Edge extension's publisher, listed as "html5gamer," is not the same publisher as the Chrome extension. However, both html5gamer and cuixiping (the previous primary contributor of the extension), are Chinese-speaking developers who were active in the same GitHub issue a couple of years prior, and html5gamer has starred one of cuixiping's few public, non-forked repositories. With that said, there's no evidence that Karma Shopping had any involvement at the time of the extension's removal from the Edge store.
Google, on the other hand, didn't flag the Chrome version until March 2026, and it retained its "Featured" flag until its removal. Sometime in November 2025, the GitHub repository for the Save Image as Type extension was deleted. Then, sometime between November 13th and November 29th, the owner on the Chrome Web Store was changed to be "laurenbridgecool" and the extension was updated to support the malicious page injection we've shown here.
The extension's removal comes over a year after Palant's public disclosure about the company, and months after the malicious payload was actively running on users' browsers. After the extension had changed hands, it sat in the Chrome Web Store with a "Featured" badge, and anyone searching for a way to save images in different formats would have found it as a top result.
How to check if you were affected
It left markers on every affected page
If you had Save Image as Type installed, here's how to check and clean up. First, open DevTools on any site you visit frequently and run the following command in the console:
localStorage.getItem("ldcsv") If it returns a number, that's a Unix timestamp in milliseconds recording when the extension last injected a hidden iframe on that site. You can remove it with localStorage.removeItem("ldcsv"). Check for localStorage.getItem("siatlrx") as well, as that's the C2 request throttle.
The problem is that these entries exist on every site where the extension was active, and there's no easy way to clean them all at once without clearing all site data in Chrome settings. The extension's own chrome.storage.local data is automatically wiped when you uninstall it, so at least the cached affiliate URL list is gone.
If you're technically inclined and the extension is still installed, you can find the LevelDB database in the Local Extension Settings in Chrome. You can extract strings starting with "siat" and decode them by stripping the four-character prefix, shifting each character code down by 3, and reversing the result. That'll show you exactly which affiliate URLs were cached in your browser.
For most people, though, just uninstall the extension and move on. If you need the functionality it provided, your best option is to look for alternatives or just manually convert images using an online tool. After what I've seen in this extension's code, I'll personally be a lot more skeptical of utility extensions in general going forward.
Google eventually doing the right thing and flagging the extension as malware is better than nothing, but it shouldn't have taken months of active exploitation to get there. Google took four months to remove the extension after it had changed hands, and it may come as a shock that a featured extension like this could change hands and be actively exploited with seemingly no oversight. For an extension with over a million users that Google itself had featured in its own store, that's not a good look at all.