What looks like a harmless browser add-on could be quietly spying on you.
Cybersecurity researchers have uncovered a large-scale campaign involving 108 malicious Google Chrome extensions that have collectively affected over 20,000 users. Disguised as everyday tools — from Telegram helpers to gaming add-ons — these extensions are secretly stealing sensitive user data, hijacking browser sessions, and injecting malicious scripts into web pages.
It’s a reminder of a growing reality: even trusted platforms like the Chrome Web Store aren’t immune to sophisticated threats.
How a network of fake extensions slipped through the cracks
According to researchers at Socket, the extensions were published under multiple developer identities, including “Yana Project,” “GameGen,” “SideGames,” “Rodeo Games,” and “InterAlt.” On the surface, they appeared legitimate, offering features like translation tools, Telegram web clients, and entertainment-based add-ons.
Behind the scenes, however, all 108 extensions were connected to the same command-and-control (C2) infrastructure — effectively acting as a coordinated data-harvesting network.
Once installed, these extensions could:
- Steal Google account identity data using OAuth2 permissions
- Hijack Telegram Web sessions and send data every 15 seconds
- Inject ads and malicious scripts into any website visited
- Open arbitrary web pages automatically when the browser launches
- Bypass key security protections on platforms like YouTube and TikTok
In short, they turn a user’s browser into a controlled environment for surveillance and manipulation.
When your browser becomes the attack surface
What makes this campaign particularly concerning is how deeply these extensions integrate into everyday browsing. Unlike traditional malware that requires downloads or suspicious files, browser extensions operate with built-in permissions that users often approve without a second thought.
In this case, some extensions went as far as overwriting session data — meaning attackers could effectively take over a user’s Telegram account or impersonate them online.
Others stripped away critical web security protections like Content Security Policy (CSP) and CORS, making it easier to inject gambling ads, malicious overlays, and tracking scripts.
A closer look at the most dangerous behaviors
Not all extensions behaved the same, but together they formed a powerful toolkit for attackers:
- 54 extensions focused on stealing Google account identity data
- 45 extensions included hidden backdoors that triggered on browser startup
- Several continuously monitored and exfiltrated Telegram session tokens
One particularly alarming example involved an extension that could replace a user’s Telegram session entirely with one controlled by the attacker — essentially allowing them to read messages, send chats, and operate unnoticed.
Why this trend is getting harder to stop
This isn’t an isolated case. Malicious browser extensions have become a fast-growing cybersecurity threat, largely because they exploit trust in official marketplaces.
Platforms like the Chrome Web Store rely on automated and manual reviews, but attackers are getting better at disguising harmful code, sometimes activating malicious features only after installation or updates.
There’s also a broader trend at play: browser-based attacks are replacing traditional malware. Since so much of modern work — email, messaging, banking — happens in the browser, it’s become the perfect target.
For businesses and individuals alike, this shifts the security focus from just “what you download” to “what you allow in your browser.”
What you should do right now
If you’ve installed any unfamiliar Chrome extensions recently, it’s worth taking a few minutes to review them.
- Remove any extensions you don’t fully trust
- Log out of active Telegram Web sessions via your mobile app
- Revoke suspicious Google account permissions
- Enable two-factor authentication (2FA) where possible
It’s also a good habit to install extensions only from well-known developers and to regularly audit your browser permissions.
The bigger picture: convenience vs. control
This incident highlights a growing tension in modern tech — the balance between convenience and security.
Browser extensions are powerful because they simplify everyday tasks. But that same power can be exploited when oversight fails.
As attackers continue to evolve, users will need to be more intentional about what they install and what access they grant.
So here’s the question: when was the last time you checked what your browser extensions are really doing behind the scenes?
