With a total install base of over 1.4 million, the extensions can modify cookies on ecommerce websites so that their creator receives affiliate payments for the purchased items, without the victim’s knowledge.

The five malicious extensions help users watch Netflix shows together (Netflix Party and Netflix Party 2, with a combined install base of 1.1 million), enable them to track online prices and coupons (FlipShope – Price Tracker Extension and AutoBuy Flash Sales, with 100,000 installs), and capture screenshots (Full Page Screenshot Capture – Screenshotting, with 200,000 installs).