108 Malicious Chrome Extensions Caught Harvesting Google and Telegram Credentials

Security researchers at Socket have uncovered a coordinated campaign of over 100 malicious Chrome Web Store extensions designed to steal OAuth tokens, hijack accounts, and execute remote commands. The extensions span multiple categories - Telegram clients, browser games, social media tools, and utilities - published under five different identities but sharing a common command-and-control infrastructure hosted on a Contabo VPS. Code analysis points to a Russian malware-as-a-service operation.

The extensions employ several attack techniques across overlapping clusters. The largest group of 78 injects attacker-controlled HTML via innerHTML manipulation, while 54 others abuse the chrome.identity API to exfiltrate Google account details and OAuth2 bearer tokens. A separate batch of 45 extensions runs a silent backdoor on browser startup that fetches and executes C2 commands without any user interaction. The most aggressive variant targets Telegram Web, scraping session data every 15 seconds and enabling operators to remotely swap a victim’s browser into a different Telegram account entirely.

Despite Socket’s disclosure to Google, all identified extensions remained live on the Chrome Web Store at the time of reporting. Users should cross-reference their installed extensions against the published indicator list and remove any matches immediately.