Cybersecurity firm Socket exposed a network of 108 rogue Google Chrome extensions that together drew about 20,000 installs from the Chrome Web Store. These tools, disguised as Telegram clients, translators, and games, siphon user credentials, hijack Telegram sessions, and inject harmful code into websites. The operation routes all stolen information to a shared command-and-control server, marking a sophisticated threat to everyday browser users.

Deceptive Tools Share Hidden Infrastructure

The extensions hide behind five publisher accounts but connect to one central server for data theft. Socket researcher Kush Pandya detailed how they grab credentials, identities, and browsing histories without detection. Among them, 54 target Google logins, capturing emails and profile images through OAuth2 flows as users sign in. Another 45 embed a backdoor that opens attacker-chosen URLs on browser startup, evading standard protections.

Telegram Hijack and Web Tampering Tactics

The extension "Telegram Multi-account" stands out for its aggression, pulling authentication tokens from Telegram Web every 15 seconds and sending them to a remote server. This grants attackers complete account control, bypassing passwords and two-factor codes. Five extensions exploit Chrome's declarativeNetRequest API to remove security headers from targeted sites before pages load, enabling further exploits. Masquerading as sidebars for YouTube or TikTok, slot machines like "Piggy Prizes," or utilities like text translators, they blend into legitimate offerings.

Steps to Secure Accounts and Browsers

Users facing potential exposure must act quickly. Socket advises scanning browsers to delete any of the 108 named extensions, including "Web Client for Telegram - Teleside," "Speed Test for Chrome," and dozens of slot games. Telegram users should log out all web sessions via the mobile app's Devices menu. For Google sign-ins through these tools, revoke unknown third-party accesses in account settings and monitor for unusual activity.

Risks Echo Browser Extension Vulnerabilities

Chrome extensions hold deep system access, making them prime vectors for abuse when publishers turn malicious. Past campaigns have similarly weaponized store listings, underscoring the challenge of vetting thousands of submissions. This incident highlights the value of extension transparency and user caution, as attackers refine evasion techniques amid rising reliance on browser add-ons for daily tasks. Broader defenses, like routine audits and permission reviews, remain essential to counter such persistent threats.