108 Malicious Chrome Extensions Caught Harvesting Google and Telegram Credentials

A coordinated campaign involving 108 malicious Chrome extensions has been discovered targeting roughly 20,000 users, siphoning credentials and session data from Google services and Telegram. The extensions masqueraded as legitimate productivity and utility tools in the Chrome Web Store, exploiting the broad permissions model that browser extensions rely on to access cookies, browsing history, and authentication tokens.

The scale of this operation highlights persistent weaknesses in browser extension vetting processes. Despite Google’s review mechanisms, threat actors continue to slip malicious code past automated checks by obfuscating payloads or introducing them through delayed updates after initial approval. Once installed, the extensions exfiltrated sensitive data to attacker-controlled infrastructure, giving operators access to authenticated sessions without needing passwords directly.

The discovery underscores the ongoing risk that browser extensions pose as an attack surface - particularly for enterprise environments where extension governance is often lax. Organizations should enforce allowlist-only extension policies and monitor for anomalous extension behavior across managed endpoints.