A large-scale malware campaign abusing the Chrome Web Store has been uncovered, involving 108 malicious Chrome extensions designed to harvest user data, steal Google accounts, and surreptitiously control the browser. The add-ons share a common command-and-control (C2) infrastructure and can inject advertising and arbitrary JavaScript into visited websites.
Malicious Chrome extensions campaign linked by shared C2 infrastructure
According to findings from security company Socket, the extensions were published in the official Chrome Web Store under five developer identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. Collectively, they accumulated around 20,000 installations. While not a global-scale incident, this is a significant campaign given that it operated entirely through Google’s official marketplace.
All identified extensions communicate with a single backend server hosted at IP address 144.126.135[.]238. Code analysis revealed multiple comments in Russian, suggesting a likely origin of the developers, although the actual operators behind the campaign remain unattributed at this stage.
How malicious Chrome extensions steal accounts and control browsers
OAuth2 abuse for Google account identity theft
Socket’s analysis shows that 54 of the 108 extensions are explicitly focused on stealing Google account identities via OAuth2. Instead of capturing passwords, the extensions intercept OAuth2 tokens or related identifiers used to authenticate a user to Google services.
With a valid token, an attacker can often reuse the session without knowing the victim’s password, bypassing standard login prompts and in some cases multi-step authentication. This technique has been documented in previous real-world intrusions, where stolen tokens enabled persistent access to webmail, cloud storage, and enterprise tools long after passwords were changed.
Backdoor behavior: opening attacker-controlled URLs on startup
Another 45 extensions act as a universal backdoor by automatically opening attacker-specified URLs whenever the browser starts. Through the shared C2 server, operators can dynamically instruct infected browsers to:
— redirect users to phishing pages that mimic login portals or payment forms;
— load additional malicious scripts for further compromise;
— run large-scale ad fraud or scam campaigns in the background.
Because this behavior is controlled from the C2 infrastructure, the same extension can shift from seemingly benign functionality to aggressive exploitation without any visible update in the Chrome Web Store.
Script injection and network manipulation in the browser
The remaining extensions in the set demonstrate other malicious capabilities, including injecting arbitrary JavaScript into visited pages and manipulating network requests made by the browser. This enables content tampering, session hijacking, and persistent tracking of the user’s activity across multiple sites.
Masquerading as Telegram, YouTube, games, and “productivity” tools
To appear legitimate, the operators disguised the malicious Chrome extensions as popular categories of tools, including:
— side-panel Telegram Web clients for easier messaging;
— gaming extensions (slot machines, Keno, and other gambling-related add-ons);
— “enhancers” for YouTube and TikTok promising better playback or extra features;
— translation helpers and generic “page utility” tools.
While the advertised features seem harmless, all of these extensions connect to the same malicious backend and load hidden background scripts. Once installed, they can intercept session data, modify page content, and monitor browser activity without any obvious visual indicators.
Bypassing browser security by stripping HTTP security headers
Researchers highlighted a particularly concerning subset of five extensions that exploit the Chrome declarativeNetRequest API. These add-ons remove critical HTTP security headers from target websites before the pages load in the browser.
Headers such as Content-Security-Policy (CSP) and X-Frame-Options are commonly used to restrict script execution, block unauthorized iframes, and mitigate cross-site scripting (XSS) attacks. By stripping these protections, the extensions greatly expand the attacker’s ability to:
— inject arbitrary JavaScript;
— embed pages into malicious frames;
— chain multiple browser-based attacks that would normally be blocked.
This makes the threat especially difficult for end users to detect, as the page appears normal while its built-in defenses have been silently neutralized.
Who is at risk and what data can be exposed
Malicious Chrome extensions are dangerous because they operate inside the trusted browser environment. Depending on permissions, they may access:
— browsing history and on-page activity;
— cookies and session tokens;
— OAuth tokens and other authentication artifacts;
— content of active tabs, including private webmail and messaging sessions.
The combination of Google account theft, Telegram Web interception, and page manipulation enables attackers to:
— take over accounts and messaging profiles;
— run highly convincing phishing and social engineering attacks;
— distribute malicious content and unwanted advertising;
— leverage compromised profiles to spread the campaign further.
Previous industry reports show that even with automated screening and manual review, malicious extensions periodically slip into official stores. Google has publicly documented mass removals of abusive add-ons in the past, underscoring that using the Chrome Web Store is not a guarantee of safety.
How users and organizations should respond
Socket advises users who installed extensions from Yana Project, GameGen, SideGames, Rodeo Games, or InterAlt to remove them immediately from Chrome. Telegram users should also log out of all web sessions via the mobile app’s “Devices” section to invalidate potentially compromised sessions.
To reduce the risk of similar incidents, it is advisable to:
— regularly audit installed extensions and remove anything unused or unfamiliar;
— install add-ons only from developers with a long-standing, transparent reputation;
— scrutinize requested permissions, especially “read and change all your data on the websites you visit”;
— enable and enforce two-factor authentication (2FA) on Google and other critical accounts;
— keep Chrome and all extensions updated to the latest versions;
— periodically review active sessions in Google, Telegram, and other key services.
For organizations, treating the browser as a full-fledged attack surface is essential. Strategies such as centrally managing allowed extensions, applying least-privilege permissions, and monitoring for suspicious browser activity can significantly reduce exposure.
The discovery of these 108 malicious Chrome extensions illustrates how quickly trusted browser add-ons can be weaponized for account takeover and large-scale data collection. Minimizing the number of installed extensions, strictly controlling their permissions, and practicing basic cyber hygiene remain some of the most effective defenses against this growing class of threats.
