Massive Malicious Chrome Extensions Campaign Compromises Thousands of Users

A newly uncovered malicious Chrome extensions campaign has put roughly 20,000 users at risk. Security researchers at Socket identified 108 fake extensions that appear legitimate but secretly harvest sensitive data. This coordinated operation spans multiple categories, including gaming, social media tools, and translation utilities.

How the Malicious Chrome Extensions Campaign Operates

All 108 extensions are linked to a single command-and-control (C2) infrastructure. This setup allows operators to aggregate stolen information in one place. Although the extensions were published under five separate developer identities, the research team found consistent backend systems and shared operational patterns across all of them.

This level of coordination makes the campaign stand out. Instead of isolated incidents, users face a well-organized threat that mimics legitimate software. The extensions often deliver on their advertised functionality, such as games or messaging tools, while masking malicious activity running in the background.

Key Attack Techniques in the Malicious Chrome Extensions Campaign

Telegram Extension Captures Sessions Every 15 Seconds

One of the most dangerous tools is a Telegram-focused extension. It captures active web sessions every 15 seconds, granting attackers full account access without passwords or multi-factor authentication (MFA). This means that even if you have strong security measures, this extension can bypass them entirely.

Google Account Harvesting via OAuth2 Permissions

Other extensions harvest Google account details using OAuth2 permissions. They inject ads by bypassing browser security protections or open arbitrary web pages through hidden backdoors. Many operate continuously in the background, even if users never actively interact with them.

Key Behaviors Identified by Researchers

• 54 extensions collecting Google profile data
• 45 extensions containing a persistent backdoor triggered at browser start-up
• Multiple tools injecting scripts or ads into popular platforms like YouTube and TikTok
• One extension acting as a translation proxy through attacker-controlled servers

Dual Behavior Complicates Detection for Users

According to Socket, the extensions often deliver on their advertised functionality, such as games or messaging tools, while masking malicious activity running in the background. This dual behavior makes detection difficult for users. You might think you are using a harmless tool, but behind the scenes, your data is being siphoned.

Building on this, the infrastructure also supports a Malware-as-a-Service (MaaS) model. Stolen data and active sessions can be accessed by third parties. Researchers linked the entire operation to a single operator through shared cloud resources, reused code, and overlapping account identifiers.

Current Status and What You Can Do

All 108 extensions were still available at the time of discovery. The appropriate security teams have been notified, and takedown requests have been submitted. Infosecurity Magazine contacted Google for comment but has not yet received a response.

To protect yourself from this malicious Chrome extensions campaign, review your installed extensions regularly. Remove any you do not recognize or use. Stick to well-known developers and check reviews before installing. For more tips, read our guide on browser extension security tips. Additionally, learn how to spot fake extensions before they steal your data.

Image credit: Mijansk786 / Shutterstock.com