Security researchers at Socket have identified over 100 malicious extensions in the Chrome Web Store that are part of a coordinated campaign. These extensions steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. At the time Socket published its report, all affected extensions were still available in the store. Google has not yet responded to requests for comment.
The extensions were published under five different publisher profiles across various categories, including Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and browser utilities. Socket found evidence in the code indicating the campaign is tied to a Russian malware-as-a-service operation.
What the Malicious Chrome Extensions Do
The campaign operates with a central backend hosted on a Contabo VPS, supported by multiple subdomains that handle session hijacking, identity collection, command execution, and monetization. The largest cluster involves 78 extensions that inject attacker-controlled HTML into the browser interface using the innerHTML property.
Another group of 54 extensions uses the chrome.identity.getAuthToken API to gather the victim’s email address, name, profile picture, Google account ID, and Google OAuth2 Bearer token. These tokens are short-lived access credentials that enable applications to access a user’s data or act on their behalf without requiring a password.
A third set of 45 extensions includes a hidden function that runs on browser startup, contacts the command-and-control server, and opens arbitrary URLs without any user interaction. One extension identified by Socket as particularly severe steals Telegram Web session data every 15 seconds, extracting localStorage content and session tokens and sending them to the attacker’s server.
This extension also accepts inbound commands that overwrite the victim’s localStorage with attacker-supplied session information and force a reload of Telegram Web, effectively swapping the victim’s account without their knowledge. Additional extensions in the campaign remove security headers, inject ads into YouTube and TikTok, or proxy translation requests through malicious servers.
What Chrome Users Should Do Now
Socket has shared a list of extension IDs linked to the campaign. Users should compare the list of affected extensions in the report with their installed Chrome extensions and uninstall any matches right away.
To see which extensions are installed, go to chrome://extensions in the address bar. Google has not provided any information on when or if these identified extensions will be removed from the Chrome Web Store.
