Over 100 Chrome web store extensions steal user accounts, data

At a glance:

• More than 100 malicious Chrome extensions identified, many stealing Google OAuth2 tokens.
• Extensions span five publisher identities and categories like Telegram clients, gambling games, and YouTube/TikTok enhancers.
• All extensions remain live in the Chrome Web Store despite Google being notified.

What researchers found

Researchers at application‑security firm Socket uncovered a coordinated campaign that has placed over 100 malicious extensions in the official Chrome Web Store. The extensions were published under five distinct publisher identities and cover a range of categories: Telegram sidebar clients, slot‑machine and Keno games, YouTube and TikTok enhancers, a text‑translation tool, and generic utilities. Socket traced the campaign to a single command‑and‑control (C2) backend hosted on a Contabo VPS, with multiple sub‑domains handling session hijacking, identity collection, command execution, and monetisation.

The team identified three major clusters. The largest, comprising 78 extensions, injects attacker‑controlled HTML into the browser UI via the innerHTML property. A second cluster of 54 extensions abuses the chrome.identity.getAuthToken API to harvest the victim’s email, name, profile picture, Google account ID, and the short‑lived OAuth2 bearer token that grants access to the user’s Google data. A third batch of 45 extensions includes a hidden startup function that acts as a backdoor, fetching commands from the C2 and opening arbitrary URLs without user interaction.

How the extensions operate

One particularly severe extension steals Telegram Web sessions every 15 seconds, extracting session data from localStorage and the Telegram Web session token before exfiltrating it to the C2 server. It can also receive an inbound set_session_changed message that wipes the victim’s localStorage, injects attacker‑supplied session data, and force‑reloads Telegram, effectively swapping the user into a different Telegram account without their knowledge.

Other extensions observed by Socket perform ad‑fraud on YouTube and TikTok by stripping security headers and injecting ads, proxy translation requests through a malicious server, or act as dormant Telegram session‑theft tools that rely on staged infrastructure. All of these behaviours share the same backend infrastructure, indicating a malware‑as‑a‑service (MaaS) operation likely run from Russia, as suggested by comments left in the code.

Potential impact and mitigation

The theft of Google OAuth2 bearer tokens allows attackers to act on behalf of victims across Google services, potentially accessing Gmail, Drive, Calendar, and other data. Combined with the ability to hijack Telegram sessions, the campaign gives threat actors a broad foothold in both personal and professional communications. Because the extensions do not require explicit user interaction beyond installation, unsuspecting users can be compromised simply by adding a seemingly innocuous add‑on.

Socket has reported the findings to Google, but at the time of publishing the malicious extensions remain available in the Chrome Web Store. Security experts advise users to audit their installed extensions against the IDs published by Socket, remove any matches immediately, and enable two‑factor authentication on Google and Telegram accounts to limit the damage of stolen tokens.

Who is behind the operation

Evidence points to a Russian‑based MaaS operation. The code contains comments referencing authentication and session‑theft modules that match known Russian cyber‑crime patterns. The use of a single Contabo VPS for C2 suggests a low‑cost, centrally managed infrastructure typical of illicit service providers. While the exact group remains unidentified, the campaign’s scale and reuse of infrastructure across dozens of extensions indicate a professional outfit capable of monetising the stolen data through ad fraud and resale of account credentials.