# 108 Malicious Chrome Extensions Steal Google and Telegram Credentials from 20,000 Users in Coordinated Campaign


A massive coordinated attack has compromised over 20,000 users through a network of 108 malicious Google Chrome extensions designed to harvest sensitive credentials and inject malicious content directly into web browsing sessions. Security researchers at Socket have uncovered the campaign, which represents a sophisticated infrastructure-level threat targeting both consumer and enterprise users.


The extensions, published across the Chrome Web Store under innocuous names, funnel stolen authentication tokens and user data to centralized command-and-control (C2) servers while simultaneously injecting advertisements and arbitrary JavaScript code into every webpage visited by infected users.


## The Threat: A Coordinated Data Harvesting Operation


The cluster of 108 extensions operates as a unified data harvesting network, sharing common infrastructure and operating procedures. Key characteristics of the threat include:


  • Data targets: Google account credentials, session tokens, and Telegram authentication data
  • Malicious capabilities: Ad injection, arbitrary code execution, credential theft
  • Distribution: Chrome Web Store (legitimate storefront)
  • User impact: 20,000+ confirmed compromises
  • Command infrastructure: Centralized C2 servers coordinating the campaign

    • The extensions were designed to masquerade as legitimate productivity tools, browser utilities, or customization add-ons. This deception allowed them to pass Chrome Web Store review processes and accumulate significant user bases before detection.


    ## Background and Context: The Chrome Extension Supply Chain Risk


    Google Chrome extensions represent a critical security surface. Unlike web applications sandboxed by the browser, extensions operate with elevated permissions and can access browsing history, modify web content, intercept network traffic, and interact with sensitive APIs.


    ### Why Extensions Are High-Value Targets


    Extensions sit at the intersection of three valuable attack objectives:


    1. Authentication interception — Extensions can capture login credentials, session tokens, and API keys before encryption

    2. Content injection — Attackers can modify what users see, redirecting clicks or stealing form data

    3. Scale and legitimacy — The Chrome Web Store provides distribution to millions while lending apparent legitimacy


    The Chrome Web Store hosts approximately 200,000 extensions. While Google employs automated scanning and manual review, determined attackers continuously evolve techniques to evade detection.


    ### Historical Precedent


    This campaign echoes previous incidents:


    | Year | Incident | Extensions | Users Affected |

    |------|----------|-----------|-----------------|

    | 2020 | Password-stealing extensions | 49 | 100,000+ |

    | 2021 | CoinHive cryptomining | 28+ | Millions |

    | 2023 | Ad-injection networks | 100+ | 30,000+ |

    | 2025 | Current campaign | 108 | 20,000+ |


    The rising sophistication and scale of extension-based attacks suggests attackers view the Chrome ecosystem as a reliable vector for credential theft and malware distribution.


    ## Technical Details: How the Attack Works


    ### Infection Chain


    1. Initial compromise: User installs what appears to be a legitimate extension from the Chrome Web Store

    2. Permission exploitation: Extension requests broad permissions (e.g., "Access all data on websites you visit")

    3. Background communication: Extension establishes encrypted channel to C2 infrastructure

    4. Data exfiltration: Captures Google session tokens, Telegram authentication, and other sensitive data

    5. Content injection: Injects ads and JavaScript payloads into web pages in real time


    ### Command-and-Control Infrastructure


    The 108 extensions communicate with shared C2 servers, suggesting centralized campaign management. This architecture enables attackers to:


  • Deploy updates across all extensions simultaneously
  • Adjust targeting and data collection priorities
  • Monitor campaign performance and user coverage
  • Rotate C2 servers when detection occurs

    • Socket's analysis identified the C2 infrastructure through network traffic patterns and code analysis, allowing researchers to link extensions that would otherwise appear unrelated.


    ### Data Theft Methodology


    The extensions specifically target:


  • Google accounts: Session tokens stored in browser storage, enabling account takeover
  • Telegram credentials: Authentication data used to impersonate users on messaging platforms
  • Browsing activity: URLs visited, search queries, and form submissions
  • User metadata: IP addresses, device fingerprints, and installed extensions

    • This data combination enables identity theft, account compromise, spear-phishing attacks, and lateral movement into organizational networks.


    ## Implications for Organizations and Users


    ### Immediate Risks


    Organizations face multiple threat vectors:


  • Credential compromise: Attackers gain access to corporate Google Workspace accounts and associated data
  • Supply chain infection: Employees' infected personal devices could be used to pivot into corporate networks
  • Data exfiltration: Confidential communications, financial data, and strategic information could be stolen
  • Session hijacking: Attackers can impersonate legitimate users in Google Workspace, Gmail, and Telegram

    • ### Enterprise Impact


    For organizations using Chrome as the primary browser:


  • Compromised Google Workspace sessions expose email, Drive, and Sheets data
  • Administrative accounts compromised through extensions could enable broader breaches
  • Telegram credentials could expose team communications if Telegram is used for business
  • The 20,000-user threshold suggests significant representation across enterprise and consumer populations

    • ### Consumer Risks


    Individual users face:


  • Identity theft and financial fraud
  • Social media account compromise through session token theft
  • Phishing and manipulation through Telegram account takeover
  • Long-term tracking and surveillance through session persistence

    • ## Detection and Removal


    ### Identifying Infected Extensions


    Users should review installed extensions for:


  • Recently installed extensions with minimal reviews or vague descriptions
  • Extensions requesting "access to all data on websites you visit" — a red flag for content injection
  • Low-quality or suspicious developer names
  • Extensions with few legitimate updates but frequent background activity

    • ### Known Malicious Extensions


    Socket has published the full list of 108 extensions. Users should:


    1. Visit chrome://extensions/ to view all installed extensions

    2. Cross-reference against Socket's published vulnerability database

    3. Immediately remove any matching extensions

    4. Change passwords for Google and Telegram accounts

    5. Review recent account activity logs for unauthorized access


    ### Browser Reset (Recommended)


    After removing extensions, users should:


    1. Change all password authentication (especially Google and Telegram)
2. Review Chrome account settings and remove unrecognized devices
3. Check Gmail account recovery options and authorized apps
4. Clear browsing cache and cookies
5. Review browser extensions whitelist policies (enterprise environments)

    ## Recommendations


    ### For Individual Users


  • Adopt restrictive extension policies: Only install extensions from well-known developers with transparent review histories
  • Review permissions carefully: Reject extensions requesting overly broad permissions
  • Use Chrome Web Store reviews as a filter: Extensions with fewer than 1,000 reviews warrant skepticism
  • Enable Enhanced Safe Browsing: Provides additional protection against known malicious extensions
  • Implement password managers: Reduce reliance on manual credential entry, which extensions can intercept

    • ### For Organizations


  • Deploy extension policies: Use Chrome policies to whitelist approved extensions only
  • Monitor extension permissions: Flag installations requesting broad data access
  • Implement device management: Use mobile device management (MDM) or endpoint detection and response (EDR) to monitor Chrome installation behavior
  • Segment authentication: Use U2F/FIDO2 security keys for sensitive accounts to prevent token-only compromise
  • Education and awareness: Train employees to recognize suspicious extension installation prompts

    • ### For Enterprise IT


  • Block unapproved extensions: Use ExtensionInstallBlocklist and ExtensionInstallWhitelist Chrome policies
  • Monitor C2 communications: Log and alert on traffic to known malicious C2 infrastructure
  • Audit third-party integrations: Review which extensions have access to sensitive data and APIs
  • Implement Zero Trust: Require additional verification for sensitive actions even with valid sessions

    • ## Conclusion


    The discovery of 108 coordinated malicious extensions demonstrates the sophistication of modern browser-based attacks. The combination of scale, infrastructure coordination, and dual capabilities (credential theft + content injection) makes this campaign a significant threat to both individual users and organizations.


    The Chrome extension ecosystem remains a lucrative attack surface due to high user trust, broad permissions, and legitimate distribution channels. Defense requires vigilant users, restrictive enterprise policies, and continued scrutiny of the Chrome Web Store to prevent similar campaigns from reaching mass scale in the future.


    Users who suspect compromise should immediately review their account security logs, change passwords, and contact relevant platforms (Google, Telegram) for account recovery assistance.