Cybersecurity researchers have discovered 108 malicious Google Chrome extensions that communicate with the same command-and-control (C2) infrastructure to steal user data and enable browser-level abuse.
The extensions inject ads and arbitrary JavaScript code into every web page visited by users. They were published under five distinct publisher identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt.
Collectively, the extensions amassed about 20,000 installs in the Chrome Web Store. All 108 extensions route stolen credentials, user identities, and browsing data to servers controlled by the same operator.
54 of the extensions steal Google account identity via OAuth2, capturing email, full name, profile picture URL, and Google account identifier when users click the sign-in button.
45 extensions contain a universal backdoor that opens arbitrary URLs as soon as the browser starts. Several extensions exfiltrate Telegram Web sessions every 15 seconds by extracting the user_auth token and overwriting localStorage with attacker-supplied session data.
Five extensions use Chrome's declarativeNetRequest API to strip security headers (Content Security Policy, X-Frame-Options, and CORS) from YouTube and TikTok before injecting gambling overlays and ads.
Some extensions masquerade as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, text translation tools, and page utilities.
Analysis of the source code revealed Russian language comments in several add-ons.
The extensions were discovered by cybersecurity researchers from Socket. Users are advised to remove the extensions immediately and log out of all Telegram Web sessions from the Telegram mobile app.
Across 108 extensions:
- 54 extensions steal Google account identity via OAuth2
- 1 extension actively exfiltrates Telegram Web sessions every 15 seconds
- 1 extension includes staged infrastructure for Telegram session theft (not yet activated)
- 2 extensions strip YouTube security headers and inject ads.
- 1 extension strips TikTok security headers and injects ads.
- 2 extensions inject content scripts into every page the user visits.
- 1 extension proxies all translation requests through the threat actor's server.
- 45 extensions contain a universal backdoor that opens arbitrary URLs on browser start.
The name of some of the compromised extensions are SideYou, Text Translation, Page Locker, Page Auto Refresh, Frogtastic, and many more. The full list of extensions can be found here.
