Security researchers have uncovered a large-scale campaign involving more than 100 malicious extensions listed on the official Chrome Web Store, raising concerns about user safety.
These extensions are designed to steal sensitive data, hijack accounts, install backdoors, and even carry out ad fraud, all while appearing as normal tools.
The discovery was made by application security firm Socket, which found that the extensions are part of a coordinated operation using the same command and control infrastructure. The extensions were published under different developer identities and spread across several categories, including Telegram tools, gaming apps, social media enhancers, translation services, and general utilities.
Behind the scenes, the campaign relies on a centralized backend hosted on a Contabo server, with different subdomains handling tasks like collecting user data, executing commands, and monetizing activity. Researchers also found clues in the code suggesting links to a Russian malware-as-a-service operation.
Many of these extensions are built to quietly collect user information. Some inject attacker-controlled content directly into web pages, while others use Chrome’s identity features to gather details like email addresses, profile data, and Google account IDs. In some cases, they also capture OAuth2 bearer tokens, which can allow attackers to access accounts or act on behalf of users.
Another group of extensions includes hidden features that run automatically when the browser starts. These act as backdoors, connecting to remote servers to receive instructions and open links without any user interaction. One particularly serious example targets Telegram Web sessions, repeatedly extracting session data and sending it to attackers. It can even replace a user’s session with another account without their knowledge.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Researchers also identified extensions that manipulate web traffic for ad fraud, remove security protections, or route data through malicious servers. Despite the findings being reported to Google, many of these extensions were still available on the Chrome Web Store at the time the report was published.
