108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

The Chrome Web Store has long been a fertile ground for both productivity tools and malicious actors. In recent months, high‑profile incidents—from ad‑injecting extensions to crypto‑mining scripts—have prompted Google to tighten its review processes. Yet the discovery of a 108‑extension campaign demonstrates how threat actors can still evade detection by distributing malicious code across multiple publisher identities, creating a false sense of legitimacy while sharing a single backend infrastructure.

Technical analysis reveals a multi‑stage operation. Over half of the extensions harvest Google OAuth2 tokens the moment a user signs in, granting attackers persistent access to email, contacts, and cloud services. A separate cohort targets Telegram Web, siphoning session tokens every 15 seconds and even overwriting local storage to hijack active chats. Additional add‑ons manipulate Chrome’s declarativeNetRequest API to strip CSP and CORS headers, paving the way for injected gambling ads and arbitrary JavaScript on high‑traffic sites like YouTube and TikTok. The unified C2 server (144.126.135.238) consolidates stolen data, enabling large‑scale credential resale.

For enterprises and individual users, the episode underscores the urgency of rigorous extension hygiene. Security teams should audit installed add‑ons, enforce least‑privilege policies, and employ browser isolation where feasible. Google’s forthcoming extension vetting enhancements may mitigate future threats, but the onus remains on users to remove suspicious tools promptly and rotate compromised credentials. As attackers continue to weaponize legitimate‑looking extensions, continuous monitoring and rapid response will be essential to safeguard digital identities.