security researchers in Plug have identified more than 100 malicious extensions in Chrome Web Store They are part of a coordinated campaign. These extensions steal Google OAuth2 bearer tokens, implement backdoors, and conduct ad fraud. At the time Socket published its report, all affected extensions were still available in the store. Google has not yet responded to requests for comment.
The extensions were published to five different publisher profiles in various categories, including Telegram sidebar clients, slot machines and Keno games, YouTube and TikTok boosters, a text translation tool, and browser utilities. Socket found evidence in the code indicating that the campaign is linked to a Russian malware-as-a-service operation.
What malicious Chrome extensions do
The campaign operates with a central backend hosted on a I count VPSbacked by multiple subdomains that handle session hijacking, identity harvesting, command execution, and monetization. The largest group includes 78 extensions that inject attacker-controlled HTML into the browser interface using the internalHTML property.
Another group of 54 uses of extensions. chrome.identity.getAuthToken API to collect the victim’s email address, name, profile picture, Google account ID, and Google OAuth2 bearer token. These tokens are short-lived access credentials that allow applications to access a user’s data or act on their behalf without requiring a password.
A third set of 45 extensions includes a hidden function that runs when you launch the browser, contacts the command and control server, and opens arbitrary URLs without any user interaction. An extension identified by Socket as particularly serious steals Telegram web session data every 15 seconds, extracting localStorage content and session tokens and sending them to the attacker’s server.
This extension also accepts incoming commands that overwrite the victim’s local storage with session information provided by the attacker and force a reload of Telegram Web, effectively swapping the victim’s account without their knowledge. Additional campaign extensions remove security headers, inject ads into YouTube and TikTok, or proxy translation requests through malicious servers.
What Chrome users should do now
Socket has shared a list of extension IDs linked to the campaign. Users should compare the list of affected extensions in the report with their installed Chrome extensions and uninstall any matches immediately.
To see which extensions are installed, go to chrome://extensions in the address bar. Google has not provided any information on when or if these identified extensions will be removed from the Chrome Web Store.
