Over 100 Chrome extensions in Web Store target users accounts and data

Over 100 malicious Chrome extensions discovered in the official Chrome Web Store are part of a coordinated campaign stealing Google OAuth2 Bearer tokens, hijacking Telegram sessions, deploying backdoors, and committing ad fraud. Researchers at Socket linked the extensions to a shared C2 infrastructure and found evidence pointing to a Russian malware-as-a-service operation. The extensions are disguised as Telegram clients, games, YouTube/TikTok enhancers, and utilities. One particularly severe extension steals Telegram Web sessions every 15 seconds and can silently swap a victim's browser into a different Telegram account. Despite Google being notified, the extensions remain available on the Chrome Web Store. Users are advised to check their installed extensions against the published list of malicious IDs and uninstall any matches.