108 Malicious Chrome Extensions Hijack Telegram and Google Data of 20,000 Users

A coordinated cluster of 108 malicious Chrome extensions has successfully compromised the Google and Telegram data of approximately 20,000 users. Discovered by cybersecurity researchers at Socket, this massive campaign utilizes a shared command-and-control (C2) infrastructure to harvest sensitive user identities, inject arbitrary JavaScript, and execute browser-level abuse across every visited webpage.

The malicious add-ons bypassed Chrome Web Store security checks by masquerading as legitimate utilities, including Telegram sidebar clients, text translators, and casual games like slot machines. The threat actors distributed the extensions across five distinct publisher identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. While the advertised functionalities varied wildly to cast a wide net, all 108 extensions secretly routed stolen credentials and browsing data back to a single backend server hosted at the IP address 144.126.135[.]238.

According to the technical analysis, the campaign employs several distinct attack vectors depending on the specific extension installed. The researchers identified a wide range of malicious behaviors designed to maximize data extraction and ad revenue.

• 54 extensions actively steal Google account identities via OAuth2 authentication.
• 45 extensions feature a universal backdoor that forces the browser to open arbitrary URLs upon startup.
• Several extensions exfiltrate Telegram Web session tokens every 15 seconds.
• Five extensions abuse Chrome's declarativeNetRequest API to strip security headers (Content Security Policy, X-Frame-Options, and CORS) from sites like YouTube and TikTok to inject gambling ads.

The researchers highlighted several high-risk extensions by name. The Telegram Multi-account extension (ID: obifanppcpchlehkjipahhphbcbjekfa) extracts the user_auth token used by Telegram Web, allowing attackers to hijack the session. It can also overwrite local storage to force-load a threat actor-supplied session. Similarly, the Web Client for Telegram - Teleside extension (ID: mdcfennpfgkngnibjbpnpaafcjnhcjno) injects scripts specifically designed to steal Telegram sessions.

Meanwhile, the Formula Rush Racing Game (ID: akebbllmckjphjiojeioooidhnddnplj) captures Google account details the moment a victim clicks the sign-in button. This stolen data includes the user's email, full name, profile picture URL, and Google account identifier.

1. Open your browser and navigate to the extensions menu to review all installed add-ons.
2. Immediately uninstall any extensions published by Yana Project, GameGen, SideGames, Rodeo Games, or InterAlt.
3. Open the Telegram mobile app, navigate to Settings, select Devices, and terminate all active Telegram Web sessions to invalidate stolen tokens.
4. Review your Google account security settings and revoke OAuth access for any unrecognized third-party applications.

The discovery of these 108 malicious Chrome extensions highlights a critical shift in how threat actors bypass modern security protocols. By targeting Telegram Web session tokens and Google OAuth2 identities directly, attackers can completely sidestep traditional two-factor authentication (2FA). Once a session token is exfiltrated to the attacker's C2 server, they gain immediate, unhindered access to private messages and accounts without needing the victim's password.

Furthermore, the presence of Russian language comments within the source code of several add-ons provides a strong clue regarding the origin of the developers, though definitive attribution remains unconfirmed. This campaign also exposes ongoing vulnerabilities in the Chrome Web Store's automated vetting process. The fact that 20,000 users installed these extensions before the shared backend infrastructure was flagged indicates that Google must implement stricter behavioral analysis for extensions requesting the declarativeNetRequest API.