Cybersecurity researchers have uncovered a large-scale malicious browser extension campaign involving 108 Google Chrome extensions that secretly harvested user data, hijacked Telegram sessions, and enabled browser-level abuse. The extensions collectively recorded approximately 20,000 installs through the Chrome Web Store before being flagged.
The operation, identified by security firm Socket, revealed that all 108 extensions were connected to the same command-and-control (C2) infrastructure despite being published under five seemingly separate developer identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt.
Researchers say the coordinated activity indicates a single operator managing the entire network.
How the Malicious Extensions Worked
Although the extensions presented themselves as legitimate tools, including Telegram sidebar clients, browser utilities, translation tools, and casual browser games, they executed hidden scripts in the background.
Investigators found several overlapping malicious behaviors:
- 54 extensions abused Google’s OAuth2 login flow, collecting user profile details such as email addresses, full names, profile images, and unique Google account identifiers during sign-in attempts.
- 45 extensions contained a built-in backdoor, allowing attackers to silently open arbitrary URLs in a user’s browser upon startup.
- Certain extensions exfiltrated active Telegram Web session data every 15 seconds, enabling account takeover without requiring passwords or two-factor authentication.
- Some extensions removed key browser security protections from platforms like YouTube and TikTok before injecting advertising overlays or scripts.
- Others injected scripts into every webpage visited or routed translation requests through attacker-controlled servers.
Security researchers confirmed that all stolen credentials and browsing data were transmitted to infrastructure controlled by the same operator.
Why This Attack Is Concerning
Unlike traditional malware, malicious browser extensions operate within the browser’s permission framework. Once installed, they can gain persistent access to:
- Session tokens
- Browsing activity
- Page content
- Authentication data
Because many users trust extensions available in official stores, this campaign highlights a growing trend: attackers increasingly disguise surveillance tools as productivity utilities.
The fact that some extensions were able to manipulate session tokens, particularly for Telegram Web, raises serious concerns. Session hijacking can effectively grant full account control without triggering password change alerts or two-factor prompts.
Read More: Google Keeps Asking to Verify – Is Your Account at Risk?
Who Was Affected?
The extensions accumulated around 20,000 installations collectively. While the number may seem modest compared to mass malware campaigns, browser extensions often target users seeking niche utilities, meaning victims may include professionals, students, and business users who rely on web-based messaging and Google services.
Anyone who installed Telegram-related extensions or unfamiliar Chrome utilities in recent months may want to review their browser immediately.
Immediate Steps Users Should Take
Security experts recommend the following precautions:
- Review all installed Chrome extensions and remove unfamiliar or unnecessary ones.
- Log out of all active Telegram Web sessions through the “Devices” section in the mobile app.
- Check Google account security settings and revoke suspicious third-party app access.
- Enable two-factor authentication where not already active.
- Monitor account activity for unusual sign-ins or unexpected behavior.
As a general best practice, users should minimize extension installations and regularly audit browser permissions.
A Larger Pattern in Browser-Based Threats
Browser extensions are becoming an increasingly attractive attack surface. Modern web browsers store authentication tokens locally to maintain seamless user sessions. If a malicious extension gains access to that storage, it can bypass traditional credential-based security measures.
This incident reinforces a broader cybersecurity reality: threats are shifting from system-level malware to browser-level compromise. Because browsers now function as productivity hubs handling email, cloud storage, banking, messaging, and enterprise tools, compromising a browser can be as damaging as infecting an entire device.
What Makes This Campaign Stand Out
Several characteristics distinguish this operation:
- A high number of coordinated extensions (108)
- Shared backend infrastructure despite different publisher names
- Simultaneous targeting of both Google and Telegram ecosystems
- Automated session exfiltration occurring at short intervals
The combination of identity harvesting, session hijacking, and remote browser control demonstrates a layered attack strategy rather than isolated malicious behavior.
Final Thoughts
The discovery of over 100 coordinated malicious Chrome extensions serves as a stark reminder that official marketplaces are not immune to abuse. While browser extensions offer convenience and customization, they also expand the attack surface of modern digital life.
Users are advised to treat browser permissions with the same caution as mobile app permissions. Installing fewer extensions and verifying the credibility of developers can significantly reduce risk exposure.
As browser-based threats continue to evolve, proactive digital hygiene may prove to be the most effective defense.