Skip to main content
TechnologyApr 15, 2026· 2 min read

Over 100 Malicious Chrome Extensions Steal Data and Accounts: Security Alert in the Official Web Store

A new and concerning malware campaign has hit the Chrome Web Store, putting millions of users at risk. According to researchers from the security company Socket, over 100 seemingly legitimate extensions have been used to steal sensitive data, compromise accounts, and engage in fraudulent activities. The malicious extensions, published under five different identities, covered various popular categories, including tools for Telegram, online games, utilities, translators, and plugins to enhance the experience on YouTube and TikTok.
This variety allowed attackers to reach a wide audience without raising suspicion. The infrastructure used is highly organized and relies on a centralized command and control (C2) system, hosted on VPS servers. According to experts, this is likely a malware-as-a-service operation, probably of Russian origin, based on clues found in the code of the extensions.

From a technical standpoint, the threats are manifold. Some extensions manipulate the user interface by injecting malicious HTML code, while others exploit functions such as "chrome.identity.getAuthToken" to collect personal data from users, including email, name, and Google account ID. Even more alarming is the theft of OAuth2 tokens, which allow attackers to access data or act directly on behalf of the victim.

Additional Details on Google's Malicious Extensions

Another group of extensions includes backdoor functionalities that activate automatically when the browser starts, without any interaction from the user. These can execute remote commands, open websites, or install further malicious components.
Particularly alarming is the case of an extension capable of stealing Telegram sessions every 15 seconds, allowing attackers to take control of accounts without the user's knowledge. In some cases, the malware can even completely replace the user's session with another, manipulating the data stored in the browser.

Despite reporting to Google, many of these extensions were still available at the time of the report's publication. Experts recommend that users immediately check their installed extensions and remove any suspicious ones.