Palo Alto Networks Unit 42 published a June 24, 2026 threat-intelligence note about 18 browser extensions that impersonated consumer brands and sent users into a suspicious affiliate-marketing flow. The extensions opened squatting .shop domains after installation, showed “further action required” pages, asked users to move to a gaming-oriented browser, and used the click path to set affiliate cookies.
The important part for home users is the browser-abuse pattern. This was not just a bad web page. Unit 42 said the extensions opened a new tab after install, pushed a false browser-incompatibility message, abused web push notification permission, and sent users toward a low-reputation .sbs affiliate tracking link.
What Unit 42 Found
The reported activity involved 18 extension IDs. Unit 42 also noted that at least one removed extension was republished as a different version: mgnifjlpjmhihkmfjfbgjehfloockehi was removed, then jcjnpcclnnjcdamcmhhicpfcjnokclpe appeared as a newer version of the same plugin.
Associated .shop domains included bextension-6124d[.]shop, broth-print-extension46[.]shop, caschekillerextension[.]shop, dee-extensonchorm464[.]shop, pecktvextensionchrome3[.]shop, phot-matchextensionchrome5[.]shop, picphotoedutir46[.]shop, snaitextension44[.]shop, and word-extension946[.]shop.
The example “further action required” page was chromehubplugin[.]com. The example tracking destination was track.getbrowser[.]sbs/click?offer=j32aevgf9qxx. These names are useful for checking browser history, but they should not be treated as a complete blocklist because extension operators can rotate domains quickly.
The Notification Trick
According to Unit 42, the page used urgency text such as “Action Required,” “Almost Done,” and “One Last Step.” It also claimed that the current browser was not supported. When the user clicked the button to download the browser and continue, script from the button intercepted the click and deceptively granted permission to send push notifications.
That is why this belongs in the same practical category as browser notification scams and deceptive extension installs. A notification permission prompt can look like part of a setup flow, but once allowed, a site can send pop-ups through the browser even when the original tab is closed. The browser notification scam removal guide explains how to review and revoke those permissions.
Why the Extensions Are Risky
Unit 42 described the goal as affiliate monetization, not a confirmed credential-stealing campaign. That distinction matters. The immediate behavior was opening domains, pushing a deceptive setup path, setting affiliate cookies, and steering users through a tracking link.
At the same time, one extension reportedly stored a copy of browser history in local storage. Unit 42 said that data was not currently being exfiltrated, but the extension had permissions that could allow a silent update to start transmitting it later without asking for a new permission grant. That makes cleanup worth doing even if the browser only seems mildly annoying today.
The pattern is close to other browser-extension abuse seen this month. SearchJack used extensions to monetize search traffic, while a separate live-wallpaper extension group used browser add-ons for redirects and suspicious behavior. See the related reports on SearchJack Chrome extensions and Chrome wallpaper extension adware.
Extension IDs to Check
If you installed a suspicious brand-themed browser extension recently, check whether any of these IDs appear in the extension details page:
akacljehjekfjgedpgpdjbdnmfgacikj, bdjadhfeokpmjekfbbfclpbejdoepkag, cabinnjglmnadimaginbiafbkancbgio, cbbblelpjglcbpdnaidkfekleabgofgh, cmikjhfacingiiipjkmldcndpbnimdob, dgifbffblookmomalpfkfkldcgofhllp, gapcpoajcnhfpnlkgbfdhcofkjjgghfi, gkkgkahfnpmngjemamlepbnbgihadidn, hdbbmiepcfblbnadgmgbhbplffofgbng, hmkcidjcpomiegnklmplkimmbcbklglb, ieoofhgipagkhinhedjgmloejfoaglcf, imfidgcafoafgcjcfniemjmgembigodn, jcjnpcclnnjcdamcmhhicpfcjnokclpe, mgnifjlpjmhihkmfjfbgjehfloockehi, oinhkppjekojppojmpillbcahmgelnif, ombbgjgaipdokjladfdbilkjlcpogdik, oooajbapompagfednbkpmaicgpcdmlok, and pogmledndpkjkliejlcdbgkfkoblickb.
In Chrome and Chromium-based browsers, open the extensions page, enable developer mode if needed, and inspect extension IDs. Remove anything you do not recognize, especially if it opened a shopping domain, claimed your browser was incompatible, or asked for notification permission during setup.
What to Do If You Clicked Through
Remove the extension first. Then review notification permissions and remove any unfamiliar sites, especially recent .shop, .sbs, or browser-promotion domains. Clear cookies and site data for the suspicious domains if they appear in browser history.
If the browser still opens unwanted tabs, changes search behavior, or reinstalls extensions, scan the computer for unwanted programs and check startup items. The Potentially Unwanted Programs guide covers the broader cleanup process for bundled apps and unwanted browser changes. The older Chrome extension tracking guide is also useful for understanding why extension permissions matter.
Quick Check
A real extension should not need to send you to a random .shop page, claim your browser is unsupported, and request notification permission to complete setup. If that happened, remove the extension, revoke notification permissions, and treat any related affiliate-download page as untrusted.
Reference
