The Campaign
More than 100 Google Chrome extensions have been linked to a coordinated campaign that combines credential theft, Telegram session hijacking, and in-browser manipulation. According to cybersecurity researchers, the operation involves 108 extensions that together accumulated roughly 20,000 installs on the Chrome Web Store. The extensions masquerade as legitimate tools while running malicious code in the background.
The technical core of the campaign, as described by security firm Socket, is the use of a shared command-and-control (C2) infrastructure across multiple extensions that present themselves under five distinct publisher identities. This design suggests the attackers organized their workflow to centralize control, exfiltration, and additional payload delivery while making individual extensions harder to connect through simple publisher-based review.
Coordinated Extensions: One Operator, Multiple Identities
According to Socket’s analysis, the extensions “operate under five distinct publisher identities but secretly share a single command-and-control (C2) infrastructure.” The extensions “masquerade as legitimate tools such as Telegram sidebar clients, text translators, and slot machine games,” yet “execute malicious scripts in the background.”
Socket security researcher Kush Pandya stated: “All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator.” This indicates that the extensions are not independent threats; they are coordinated components reporting to the same backend systems.
The campaign also includes browser-level behavior aimed at persistence and user interaction. Socket’s researchers described a “universal backdoor” inside 45 extensions that “forced the browser to silently open arbitrary URLs dictated by the attacker’s server on startup.” Additionally, five extensions use Chrome’s declarativeNetRequest API to strip security headers from target sites before the page loads, which changes how protections are applied at the network-request layer before content renders.
Google Account Targeting via OAuth2 Sign-in Interception
According to Socket’s report, 54 extensions targeted Google account identities, harvesting details such as email addresses and profile pictures via OAuth2 “the moment a user attempts to sign in.”
From a technical perspective, this represents a specific abuse pattern: extensions can observe the sign-in flow and collect identity-related information when authentication is underway. The timing suggests the malicious logic is designed to piggyback on legitimate OAuth2 interactions, turning an authorization moment into an opportunity for credential-adjacent data collection.
The stolen information is routed to servers “controlled by the same operator.” This linkage between OAuth2 harvesting and centralized reporting is the type of technical detail security teams use when grouping threats, and it helps explain why defenders may see multiple extensions behaving similarly even if they appear different to users.
Telegram Multi-account: Token Theft Every 15 Seconds
According to Socket, the most severe extension in the campaign is named “Telegram Multi-account.” Socket’s researchers say it targets Telegram users by secretly extracting active Telegram Web authentication tokens and then exfiltrating the data to a remote server every 15 seconds.
This token exfiltration enables attackers to take full control of an account without needing a password or two-factor authentication code. The claim points to session hijacking based on authentication artifacts used by Telegram Web, rather than brute-force login.
This distinction matters for defenders because it shifts the mitigation conversation away from password resets and toward extension hygiene, session and token invalidation, and the detection of suspicious browser add-ons. The extension’s behavior involves continuous token extraction at a fixed interval and remote exfiltration.
Recommended Actions
Socket’s guidance focuses on direct remediation: users who may be impacted should review their browser and completely remove any of the 108 identified malicious extensions.
The identified extensions range from “Telegram Multi-account” and “Web Client for TikTok” to numerous slot machine and game-themed extensions. The breadth of names reflects the strategy described earlier: using categories that can blend into the Chrome Web Store’s entertainment and utility ecosystem while concealing malicious logic.
For security teams and power users, the technical details in the report—shared C2 infrastructure, OAuth2-based harvesting at sign-in, token extraction at 15-second intervals, and use of declarativeNetRequest to strip security headers—indicate the campaign was engineered for both data theft and browser manipulation. Observers may watch for patterns in extension permissions and network-request behavior that align with these described mechanisms.
The campaign was first reported on Hacker News before being analyzed by Socket. This sequence illustrates how community reports can surface suspicious extension activity, which then gets formalized into technical threat analysis—an important workflow in the extension ecosystem where many risks originate from third-party code running inside the browser.
Source: mint – technology