205/69 Thursday, April 16, 2026
Cybersecurity researchers from Socket have uncovered a large-scale malware campaign embedded within the Chrome Web Store, involving more than 100 malicious browser extensions designed to steal user data. These extensions disguise themselves as tools for managing Telegram, online slot games, and add-ons for platforms like YouTube and TikTok. Analysis of the source code revealed Russian-language comments, suggesting the operation may be part of a Malware-as-a-Service (MaaS) model. The attackers appear to share a common command-and-control (C2) infrastructure to harvest sensitive data and generate revenue through illicit advertising.
From a technical perspective, these extensions employ several dangerous techniques. The largest group leverages the chrome.identity.getAuthToken API to steal Google OAuth2 bearer tokens, which can grant attackers direct access to victims’ Google accounts, including profile information such as names, email addresses, and profile photos. Some extensions also function as backdoors, automatically activating when the browser starts. Most concerning are those targeting Telegram Web, which silently exfiltrate session data every 15 seconds-allowing attackers to impersonate users, read messages, and fully take over Telegram accounts.
Although the campaign has been reported to Google, many of these malicious extensions were still available on the Chrome Web Store at the time of investigation, including examples like Telegram Multi-account, Black Beard Slot Machine, and Page Locker. These extensions often use convincing names and icons to deceive users. Experts strongly recommend reviewing all installed browser extensions and removing any unfamiliar or suspicious ones immediately. Users should also check their Google account security settings and revoke any unauthorized access to prevent further damage.