108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users

INDUSTRY NEWS 2 min read 108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users Graham CLULEY April 15, 2026 Promo Protect all your devices, without slowing them down. Free 30-day trial Cybersecurity researchers have revealed that 108 malicious Google Chrome extensions have been quietly stealing user credentials, hijacking Telegram sessions, and injecting unwanted ads and scripts into browsers - all reporting back to the same central point. The discovery by researchers at Socket, found that all 108 extensions were communicating with a single command-and-control server, strongly suggesting they are the work of one group of hackers. Between them, before being identified, the extensions had racked up approximately 20,000 installs from the Chrome Web Store. The malicious add-ons were published under five different publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) in an apparent attempt to avoid detection. And to further disguise the reality of what was going on, each malicious Google Chrome extension adopted differing disguises - including posing as a Telegram sidebar client, slot machine games, tools to enhance YouTube and TikTok, or translation tools. Behind the scenes, according to researchers, all 108 extensions were transferring stolen credentials, user identities, and browsing data to remote servers under the control of the hackers. Specific malicious behaviours included: 54 extensions that stole Google account details - including email addresses, full names, profile pictures, and Google account IDs 45 extensions that contained a backdoor which could open arbitrary URLs upon browser startup Privacy-busting extensions that exfiltrated Telegram Web sessions every 15 seconds, and in some cases even replacing the victim's active session with of the hackers' choosing Extensions that stripped security headers from YouTube and TikTok, and injected gambling ads. Although the identity of those behind the campaign remains unknown, it is perhaps telling that Russian-language comments were found in the source code of several of the add-ons. If you're a regular reader of Hot for Security then you will know that browser extension security has been a significant problem over the years. Back in 2018, for instance, the Mega.nz Chrome extension was compromised via a malicious update, leading to the scooping-up of login credentials and cryptocurrency private keys belonging to silently harvesting login credentials and cryptocurrency private keys from web surfers. In 2020, researchers found 49 browser extensions targeting cryptocurrency wallets, which had been promoted via Google Ads and lauded with fake five-star reviews to appear trustworthy. More recently, in 2023, a rogue "ChatGPT for Google" extension stole Facebook session cookies from over 9,000 users, and used them to spread malvertising. And just this January, 16 more fake ChatGPT-themed extensions were found to be stealing authentication tokens. Arguably the most alarming incident of all though occurred at Christmas in 2024, when a phishing email tricked a worker into granting a malicious app access to Cyberhaven's Chrome Web Store account. That allowed attackers to push a poisoned update to hundreds of thousands of users. That attack was believed to be part of a broader campaign that compromised over 35 extensions and affected an estimated 2.6 million people. If you have installed any of the 108 extensions identified in this latest malicious campaign, your best course of action is to remove them immediately. Furthermore, anyone who installed a dodgy Telegram-related extension should also log out of all Telegram Web sessions via the Telegram mobile app, as attackers may have already hijacked them. More generally, don't you think it's high time you did a spring clean of your Chrome extensions? Do you actually use each one? Do the permissions they request seem proportionate for what they do? If in doubt, remove it. After all, a lean browser with less extensions is inevitably a safer browser. TAGS industry news AUTHOR Graham CLULEY Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s. View all posts RIGHT NOW TOP POSTS INDUSTRY NEWS FAMILY SAFETY Safer Messaging for Kids: How to Set Up a Parent-Managed WhatsApp Account for Your Child March 12, 2026 3 min read THREATS As F1 Returns, So Do the Risks of Free Streaming March 06, 2026 10 min read SCAM ALERT War as a Hook: How Fraudsters Are Using the Israel-Iran Crisis to Target Netizens March 05, 2026 7 min read SCAM The ‘I Accidentally Reported You’ Discord Scam: What You Need to Know February 27, 2026 5 min read FOLLOW US ON SOCIAL MEDIA YOU MIGHT ALSO LIKE INDUSTRY NEWS 108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users Graham CLULEY April 15, 2026 2 min read INDUSTRY NEWS DATA BREACH Rockstar Games confirms breach after ShinyHunters leaks stolen analytics data Vlad CONSTANTINESCU April 14, 2026 3 min read INDUSTRY NEWS FBI: Cybercrime Losses Hit a Record $21 Billion Last Year, Fueled by AI Filip TRUȚĂ April 08, 2026 5 min read BOOKMARKS You have no bookmarks yet. Tap to read it later.