Cybersecurity researchers have discovered a new campaign where a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited.
These extensions are published under five distinct publisher identities – Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt — according to Socket, the cybersecurity firm behind the findings. They have collectively amassed about 20,000 installs in the Chrome Web Store.
“All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator,” Security Researcher Kush Pandya said in an analysis.
READ: Google parent Alphabet hits $3 trillion following DOJ win (
54 of the add-ons steal Google account identity via OAuth2. 45 extensions contain a universal backdoor that opens arbitrary URLs as soon as the browser is started, and the remaining ones engage in a variety of malicious behaviors.
The identified extensions masquerade as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, text translation tools, and page utilities, in order to appear legitimate. While they seem to showcase diverse functionality, malicious code runs in the background capturing session information, injecting arbitrary scripts, and opening URLs chosen by the attacker.
“Five extensions use Chrome’s declarativeNetRequest API to strip security headers from target sites before the page loads,” Socket noted. “All 108 malicious extensions share the same backend, hosted at 144.126.135[.]238.”
It is not known who is responsible for these malicious extensions. An analysis of the source code has reportedly uncovered Russian language comments across several add-ons.
READ: Google Gemini’s ‘Nano-Banana’ trend surpasses OpenAI; tops Apple App Store (
It has been recommended that Chrome users should check whether they have extensions running in their browsers. Users who have installed any of the extensions are advised to remove them with immediate effect and log out of all Telegram Web sessions from the Telegram mobile app. Some of the more popular extensions identified include “Telegram Multi-account,” “Black Beard Slot Machine,” “Page Locker,” and “InterAlt.”
Socket recommends that people using Telegram Multi-account log out of all Telegram Web sessions using the Telegram app. The option can be found from Settings > Devices > Terminate all other sessions. Users who have signed into any of the extensions are advised to assume their identity was exposed, and review their third-party app permissions. It has been recommended that users take extreme caution while adding new extensions from now on.