Over 100 Chrome extensions caught stealing Google and Telegram data: How to stay safe?

Cybersecurity researchers have uncovered a massive, coordinated campaign involving 108 Google Chrome extensions designed to steal user data, hijack Telegram sessions, and inject malicious code into web pages. The hacking operation, first reported by Hacker News, is said to have collectively amassed roughly 20,000 installs on the Chrome Web Store.

How were hackers stealing Google and Telegram data?

According to a report by security firm Socket, the extensions operate under five distinct publisher identities but secretly share a single command-and-control (C2) infrastructure. The researchers noted that while the extensions masquerade as legitimate tools such as Telegram sidebar clients, text translators, and slot machine games, they execute malicious scripts in the background.

“All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator,” Socket security researcher Kush Pandya explained in the report.

Socket noted that 54 of the extensions targeted Google account identities and harvested details like email addresses and profile pictures via OAuth2 the moment a user attempts to sign in. Meanwhile, the researchers noted that 45 extensions contained a universal backdoor that forced the browser to silently open arbitrary URLs dictated by the attacker’s server on startup.

Researchers further noted that the ‘most severe extension’ in the campaign is called ‘Telegram Multi-account’. Targeting Telegram users, the extension secretly extracted active Telegram Web authentication tokens and exfiltrated the data to a remote server every 15 seconds.

This, the researchers warned, allowed attackers to take full control of an account without needing a password or two-factor authentication code.

“Five extensions use Chrome’s declarativeNetRequest API to strip security headers from target sites before the page loads,” Socket said in the blog post.

How to stay safe?

For users who may be impacted by the attack, security experts at Socket recommend taking the following immediate steps: