Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 15, 2026 · 6 min read

108 Malicious Chrome Extensions Are Stealing Google and Telegram Logins—They Are Still in the Chrome Web Store

Security researchers found a coordinated campaign of extensions that harvest Google OAuth tokens and Telegram session data every 15 seconds. Google has been notified but has not removed them.

A Chrome browser window showing a grid of extension icons with some glowing red to indicate malicious activity

What Was Discovered

Application security company Socket identified 108 malicious extensions in the official Chrome Web Store that are part of a coordinated campaign to steal user credentials and session data. The extensions, published on April 14, 2026, share the same command and control infrastructure and were published under five distinct publisher identities to evade detection.

The extensions masquerade as legitimate utilities: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and general purpose utility extensions. Code analysis points to a Russian malware as a service (MaaS) operation, with the central backend hosted on Contabo VPS infrastructure using multiple subdomains for different operations.

How They Steal Your Data

The malicious extensions operate through several distinct attack methods:

  • Google account theft (54 extensions): These use Chrome's chrome.identity.getAuthToken API to harvest Google OAuth2 Bearer tokens. On sign in, they steal the token and fetch your profile, including your email address, name, profile picture, and Google account ID
  • HTML injection (78 extensions): These inject attacker controlled HTML via the innerHTML property, enabling ad fraud and content manipulation
  • Hidden backdoors (45 extensions): These function as sleeper agents, fetching and executing commands from the C2 infrastructure on demand
  • Telegram session hijacking (1 extension): The most severe variant steals Telegram Web sessions every 15 seconds, extracting session data from localStorage and sending it to the C2. It can swap any victim's browser into a different Telegram account

Additional variants strip security headers from web requests, inject advertisements into YouTube and TikTok pages, and proxy traffic through malicious servers.

Why the Chrome Web Store Keeps Failing

This is not an isolated incident. The Chrome Web Store has become a recurring vector for malicious extension campaigns. Earlier this year, Chrome extensions were caught stealing ChatGPT and DeepSeek credentials, and a separate campaign targeted Workday and NetSuite users with credential theft extensions.

The core problem is that Google's automated review process cannot reliably detect malicious behavior that activates after installation or that is obfuscated in the extension code. Attackers have learned to publish benign looking extensions that only reveal their true purpose after passing review, often through delayed activation or by downloading malicious payloads from external servers.

Socket notified Google about the campaign, but at the time of publication, all malicious extensions remained available for download. BleepingComputer independently confirmed that many were still listed.

What Is at Risk

The stolen OAuth tokens provide temporary but broad access to victim Google accounts. With a valid token, an attacker can read email, access Google Drive files, and interact with any Google service the user has authorized. While OAuth tokens expire, the extensions maintain persistent access by continuously harvesting fresh tokens.

The Telegram session theft is particularly dangerous for journalists and activists who rely on the platform for secure communications. By stealing session data every 15 seconds, the attacker maintains a live mirror of the victim's Telegram account, including all messages, contacts, and channel memberships.

The backdoor functionality means that even extensions that appear harmless today could become malicious tomorrow. The C2 infrastructure can push new commands at any time, turning a benign game extension into a credential stealer without any update visible to the user.

How to Protect Yourself

The threat is active and the extensions are still available. Take these steps now:

  • Audit your installed extensions. Go to chrome://extensions and remove any extension you do not actively use or recognize. Pay special attention to Telegram clients, game extensions, and video enhancers
  • Check extension publishers. Socket published the full list of malicious extension IDs. Search for the five publisher names associated with this campaign before trusting any new extension
  • Revoke OAuth tokens. Visit your Google Account security page and review third party access. Revoke access for any application you do not recognize
  • Log out of Telegram Web sessions. In Telegram's settings, review active sessions and terminate any you do not recognize
  • Only install extensions from known developers. Avoid installing extensions with low review counts, generic descriptions, or publishers with no track record

The fact that LinkedIn now scans your installed Chrome extensions underscores how much data extensions can access. A separate campaign called StealTok used fake TikTok downloader extensions to secretly profile 130,000 Chrome and Edge users using the same delayed activation strategy. Every extension you install is a potential attack vector. The fewer you have, the smaller your attack surface.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.