Over 100 Malicious Chrome Extensions in Chrome Web Store Steal Google and Telegram Data, Create Persistent Backdoors

Between April 2026 and the time of this report, a coordinated campaign involving over 100 malicious Chrome extensions has been identified in the official Chrome Web Store. These extensions, published under five distinct developer identities, have collectively amassed approximately 20,000 installations. The extensions target a broad user base by masquerading as legitimate tools, including gaming applications, social media utilities, and translation services. However, they secretly harvest sensitive user data, including Google OAuth2 Bearer tokens and Telegram Web sessions, and deploy persistent backdoors that enable further exploitation. The campaign leverages a centralized command-and-control (C2) infrastructure, allowing attackers to aggregate stolen data and issue commands to compromised browsers. Despite notification to Google, all malicious extensions remained available in the Chrome Web Store as of April 14, 2026. The incident poses critical risks of account takeover, data exfiltration, and unauthorized access to both personal and enterprise communications. All information in this summary is directly supported by the cited sources below.

The campaign was uncovered by researchers at Socket, who identified a total of 108 malicious Chrome extensions communicating with a shared C2 infrastructure. The extensions were distributed under five publisher identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. The extensions spanned multiple categories, including Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, text translation tools, and various utilities. This diversity in advertised functionality was designed to maximize the potential victim pool while masking the malicious intent of the extensions (BleepingComputer, April 14, 2026; The Hacker News, April 14, 2026; Infosecurity Magazine, April 14, 2026).

The extensions’ malicious behaviors can be grouped into several technical categories:

The largest cluster, comprising 78 extensions, injects attacker-controlled HTML into the user interface using the innerHTML property. This allows the attacker to manipulate the content displayed to the user and potentially execute further malicious scripts.

A second group of 54 extensions abuses the chrome.identity.getAuthToken API to collect the victim’s email address, full name, profile picture, and Google account ID. Critically, these extensions also steal the Google OAuth2 Bearer token, which is a short-lived access token that allows applications to access a user's data or act on their behalf. The theft of these tokens enables attackers to impersonate users and access sensitive data without requiring direct access to credentials.

A third batch of 45 extensions contains a hidden function that executes on browser startup, acting as a persistent backdoor. This function fetches commands from the C2 server and can open arbitrary URLs without user interaction, enabling the attacker to direct the browser to malicious or monetized destinations.

One extension, identified as particularly severe, targets Telegram Web sessions. It extracts session data from the browser’s localStorage every 15 seconds and sends it to the C2 server. The extension can also receive a command (set_session_changed) that overwrites the victim's session data with attacker-supplied information and force-reloads the Telegram application. This allows the attacker to swap the victim’s active Telegram session with another account, effectively hijacking the session without the victim’s knowledge or the need for passwords or multi-factor authentication (BleepingComputer, April 14, 2026; The Hacker News, April 14, 2026).

Additional malicious behaviors observed include stripping security headers (such as Content Security Policy, X-Frame-Options, and CORS) from YouTube and TikTok, injecting gambling overlays and advertisements, and proxying translation requests through attacker-controlled servers. Some extensions inject content scripts into every page visited by the user, further expanding the attack surface.

The extensions’ dual-use nature complicates detection. Many deliver on their advertised functionality, such as providing games or messaging tools, while simultaneously executing malicious code in the background. This approach increases the likelihood that users will trust and retain the extensions, allowing the attackers to maintain persistent access to compromised accounts and data (Infosecurity Magazine, April 14, 2026).

The backend infrastructure is hosted on a Contabo VPS at IP address 144.126.135[.]238, with multiple subdomains handling session hijacking, identity collection, command execution, and monetization. The operation exhibits characteristics of a Malware-as-a-Service (MaaS) model, with evidence of Russian language comments in the code suggesting possible involvement of Russian-speaking threat actors. The shared infrastructure, reused code, and overlapping account identifiers link all 108 extensions to a single operator or group.

The campaign involves 108 malicious Chrome extensions available in the official Chrome Web Store as of April 14, 2026. The extensions were published under the identities Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. The affected user base is estimated at approximately 20,000 installations, spanning gaming, social media, and productivity sectors. All three primary sources confirm that the extensions remained available for download at the time of public disclosure, and that Google had been notified but had not yet removed the extensions (BleepingComputer, April 14, 2026; The Hacker News, April 14, 2026; Infosecurity Magazine, April 14, 2026).

The campaign’s technical indicators, including shared backend infrastructure and code reuse, suggest a coordinated operation that may have been active for an extended period prior to discovery. The extensions’ ability to persist in the Chrome Web Store despite notification to Google highlights a significant gap in extension vetting and response processes.

The threat actors behind this campaign have demonstrated a high level of technical sophistication and operational coordination. By leveraging multiple publisher identities and diverse extension categories, they have maximized their reach and evaded detection. The use of a centralized C2 infrastructure enables real-time command execution, data aggregation, and session hijacking across all compromised browsers.

The theft of Google OAuth2 Bearer tokens and Telegram Web sessions poses a critical risk of account takeover, data exfiltration, and unauthorized access to sensitive communications. Attackers can impersonate victims, access private messages, and potentially pivot to other accounts or services linked to the compromised identities. The persistent backdoors embedded in 45 extensions allow attackers to open arbitrary URLs, inject malicious scripts, and monetize traffic through ad fraud or gambling overlays.

The campaign’s Malware-as-a-Service model increases the risk of further exploitation, as stolen data and active sessions may be resold or accessed by third parties. The presence of Russian language comments in the code, while not definitive, suggests possible involvement of Russian-speaking threat actors or groups.

The dual-use nature of the extensions, delivering both legitimate and malicious functionality, complicates detection and removal by both users and automated security systems. Many users may remain unaware of the compromise, especially if the extensions continue to provide the advertised features.

The following mitigation steps are prioritized by severity:

Critical: Immediate removal of any of the 108 identified malicious Chrome extensions from all user devices is essential. Users and administrators should cross-reference installed extensions against the published list of malicious extension IDs provided by Socket (BleepingComputer, April 14, 2026; The Hacker News, April 14, 2026).

Critical: All users who have installed any of the identified extensions should log out of all Telegram Web sessions using the Telegram mobile app to invalidate stolen sessions and prevent unauthorized access.

High: Users should review and revoke any suspicious or unnecessary OAuth2 permissions granted to third-party applications via their Google Account Security settings.

High: Organizations should implement browser extension management policies to restrict installation to only vetted and approved extensions, and regularly audit installed extensions across managed devices.

Medium: Security teams should monitor for unusual account activity, including unauthorized logins, changes to account settings, or unexpected access to sensitive data.

Medium: Users should be educated on the risks of installing browser extensions from unverified sources and encouraged to report suspicious behavior.

Low: Regularly update browsers and security software to ensure the latest protections against known threats.

BleepingComputer, "Over 100 Chrome extensions in Web Store target users’ accounts and data," April 14, 2026. https://www.bleepingcomputer.com/news/security/over-100-chrome-extensions-in-web-store-target-users-accounts-and-data/

The Hacker News, "108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users," April 14, 2026. https://thehackernews.com/2026/04/108-malicious-chrome-extensions-steal.html

Infosecurity Magazine, "Malicious Chrome Extensions Campaign Exposes User Data," April 14, 2026. https://www.infosecurity-magazine.com/news/chrome-extensions-expose-user-data/

Rescana provides a Third-Party Risk Management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their digital supply chain, including browser extensions and third-party applications. Our platform supports the identification of high-risk software, facilitates rapid response to emerging threats, and helps organizations enforce extension management policies. For further information or specific questions regarding this incident, please contact us at ops@rescana.com.

• Cybersecurity Incident Analysis