108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

Ravie LakshmananApr 14, 2026Data Theft / Browser Security

Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited.

According to Socket, the extensions (complete list here) are published under five distinct publisher identities – Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt – and have collectively amassed about 20,000 installs in the Chrome Web Store.

“All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator,” security researcher Kush Pandya said in an analysis.

Of these, 54 add-ons steal Google account identity via OAuth2, 45 extensions contain a universal backdoor that opens arbitrary URLs as soon as the browser is started, and the remaining ones engage in a variety of malicious behaviors –

Exfiltrate Telegram Web sessions every 15 seconds
Strip YouTube and TikTok security headers (i.e., Content Security Policy, X-Frame-Options, and CORS) and inject gambling overlays and ads
Inject content scripts into every page the user visits
Proxy all translation requests through the threat actor’s server

In an attempt to lend a veneer of legitimacy, the identified extensions masquerade as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, text translation tools, and page utilities. The advertised functionality is diverse, aiming to cast a wide net, while sharing the same backend.

Unbeknownst to the users, however, malicious code running in the background captures session information, injects arbitrary scripts, and opens URLs of the attacker’s choosing.

Some of the identified extensions are listed below –