Over 100 Chrome extensions in Web Store target users accounts and data

Over 100 Chrome extensions in Web Store target users accounts and data

1. Campaign overview

• A large-scale set of more than 100 malicious Chrome extensions have been found in the official Chrome Web Store.
• The extensions are designed to steal Google OAuth2 Bearer tokens, deploy backdoors, and facilitate ad fraud.
• The work appears to be part of a coordinated campaign that uses a common command-and-control (C2) infrastructure.
• The threat actor released the extensions under five distinct publisher identities across multiple categories, including Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a translation tool, and various utilities.

1. Operational backbone and attribution

• The campaign relies on a central backend hosted on a Contabo VPS, with multiple subdomains handling session hijacking, identity collection, command execution, and monetization tasks.
• Researchers have found evidence suggesting a Russian malware-as-a-service (MaaS) operation, inferred from comments in the code related to authentication and session theft.
• The same backend and infrastructure appear to support all extensions identified as part of this campaign, indicating a shared operational workflow.

1. Extension clusters and technique profiles

• Largest cluster: 78 extensions inject attacker-controlled HTML into the user interface via the innerHTML property. This technique allows the operator to alter displayed content and capture data presented to the user.
• Second-largest cluster: 54 extensions use chrome.identity.getAuthToken to harvest the victim’s Google account data, including email, name, profile picture, and Google account ID, and to obtain the Google OAuth2 Bearer token used for accessing user data or acting on behalf of the user.
• Third cluster: 45 extensions feature a hidden startup function that runs on browser launch, acting as a backdoor that fetches commands from the C2 and can open arbitrary URLs without user interaction.
• Notable severe extension: one extension steals Telegram Web sessions every 15 seconds, extracts session data from localStorage and the Telegram Web session token, and transmits it to the C2. It also supports a mechanism (setsessionchanged) to wipe localStorage, replace it with actor-supplied session data, and force Telegram to reload, enabling the operator to swap the victim’s browser into a different Telegram account without the user’s knowledge.
• Additional capabilities observed: several extensions strip security headers and inject ads into YouTube and TikTok; another proxies translation requests through a malicious server; and a non-active Telegram session theft extension that relies on staged infrastructure.

1. Notable capabilities and risk vectors

• Data harvesting: the use of auth tokens and personal Google account details enables long-lived access to a user’s data and actions on connected apps.
• Session hijacking: Telegram Web session theft represents an extreme risk by allowing seamless transfer of a user’s active session to an attacker-controlled state.
• UI manipulation: HTML injection into the extension’s interface affects user trust and can facilitate further data leakage or credential capture.
• covert persistence: startup-time execution and stealthy payloads enable continued operation even in the absence of user interaction.

1. Availability and response status

• Google was officially informed about the campaign by the researchers, but as of the time of publication, many malicious extensions were still available in the Chrome Web Store.
• The reporting outlet confirmed that a substantial number of the listed extensions remained accessible on the store at publication, and there was no public confirmation from Google at that moment.
• Given the ongoing nature of the discovery, the risk persisted while the extensions remained listed in the store.

1. Notable extensions and related tooling

• The campaign aggregates extensions under multiple publisher identities across varied domains (messaging, gaming, video platforms, and language tools), illustrating a broad approach to reach a wide audience.
• Reference materials highlight a cluster of extensions tied to the same infrastructure and campaign mechanics, underscoring the coordinated nature of the operation.
• The campaign is documented by security researchers who outline the methods, back-end architecture, and observable behaviors of the extensions.

1. Related reporting and context

• Coverage surrounding this campaign includes deeper analyses of similar data-theft and session-hijacking patterns observed in other Chrome extensions.
• Reports emphasize the evolving threat landscape in which browser extensions can serve as covert data exfiltration and account compromise tools.
• The findings are tied to a broader discourse on extension security, tokens, and how attackers monetize compromised credentials.

1. Source framing and attribution

• The core findings and technical descriptions come from security researchers investigating the extension set and its infrastructure, with particular emphasis on the behavior of the most severe sample and the shared C2 backend.
• The reporting outlet that compiled and contextualized these observations notes that some extensions remained live in the store at publication time and that direct confirmation from the platform vendor was pending.

1. Related articles and broader themes

• QuickLens Chrome extension incident involving crypto theft and a follow-on attack pattern.
• Data breach disclosures connected to extortion threats and their impact on organizations.
• SaaS integrator breaches affecting customer environments and downstream data access.
• Techniques such as hidden scripting and image-encoded data exfiltration used to evade basic defenses.
• Browser security enhancements and protective measures introduced by platform providers.

1. Observations for security practitioners (factual notes, non-prescriptive)

• The campaign demonstrates how multiple extensions can operate under a shared framework to harvest tokens, hijack sessions, and monetize user data.
• It highlights the importance of monitoring for unusual token requests, unexpected OAuth2 tokens, and sudden changes in account behavior attributable to compromised credentials.
• The convergence of UI manipulation, hidden startup actions, and cross-service session theft shows how attackers can blend techniques to maximize persistence and impact.

End note

• The collected reporting emphasizes the need for ongoing vigilance regarding extension provenance, permissions granted, and the potential for tokens and session data to be misused if extensions are compromised or malicious. The findings reference a shared backend and cross-publisher activity that points to a coordinated operation with substantial reach.