← back to blog
Threat Intel

108 Malicious Chrome Extensions Were Hiding in Plain Sight

Hooded figure at laptop in server room — malicious Chrome extension data theft

Most small business owners don't think twice about browser extensions — a tool to manage tabs, a sidebar for a messaging app, a game to kill five minutes. Researchers just proved they shouldn't be so relaxed.

In mid-April 2026 (Socket's threat-research team published the analysis on April 13; coverage followed on the 14th), Socket revealed that 108 malicious Google Chrome extensions were operating as a coordinated data-theft campaign, all reporting to the same command-and-control server. Collectively they amassed around 20,000 installs in the Chrome Web Store before being identified. Chrome holds well over 60% of the global browser market, making it the dominant attack surface for any threat actor targeting everyday users.

What these extensions were doing

They disguised themselves as Telegram sidebar clients, YouTube and TikTok enhancers, slot-machine games, and translation tools — published under five fake publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, InterAlt) to avoid detection. All 108 routed stolen credentials, identities, and browsing data to the same operator. The breakdown:

  • 54 extensions stole Google account identity via OAuth2 — capturing email, full name, profile picture, and account identifiers the moment a user clicked sign-in.
  • 45 extensions contained a universal backdoor that opened attacker-controlled URLs every time the browser started.
  • The worst single offender (a "Telegram Multi-account" extension) exfiltrated Telegram Web session tokens to the C2 every 15 seconds.
  • They injected content scripts into every page, gave the attacker full visibility into browser activity, and stripped security headers (CSP, CORS) from target sites before pages loaded.

Source-code analysis showed Russian-language comments across several extensions, though formal attribution hasn't been confirmed.

Why SMBs are especially exposed

Large enterprises have endpoint management, browser policies, and security teams watching for anomalies. Most SMBs have none of that. Employees install extensions freely — often on the same machines used for company email, cloud storage, accounting, and banking. A single compromised extension can silently harvest session tokens that give an attacker access to all of those systems without ever needing a password. Per the 2025 Verizon DBIR, credential abuse remains a leading initial-access method against small businesses, and browser-based harvesting is one of the cleanest ways to achieve it — no phishing email, no obvious red flag. The Chrome Web Store has improved vetting, but this campaign proves determined actors can still publish, accumulate thousands of installs, and operate for an extended period before detection.

What you should do right now

  • Audit your extensions at chrome://extensions — if you don't recognize or actively use it, remove it.
  • Remove any extensions published under Yana Project, GameGen, SideGames, Rodeo Games, or InterAlt.
  • Log out of all Telegram Web sessions from the Telegram mobile app under Settings > Devices.
  • Review your Google account at myaccount.google.com/security for unfamiliar sign-ins or connected apps.
  • Rotate credentials for any accounts accessed while a compromised extension may have been active.
  • Set an extension policy for your team — define what's approved and communicate it.

The bottom line

108 extensions. 20,000 installs. One shared server silently collecting credentials and hijacking sessions across every page your employees visited. The browser is the new perimeter — attackers know that, and most SMBs are still acting like it isn't.

Would your current setup catch something like this? Browser security is built into our layered endpoint protection — extension behavior, session access, and suspicious calls from inside the browser.

References & further reading

  1. Socket Research — 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2.
  2. The Hacker News — 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users.
  3. StatCounter — Browser Market Share Worldwide.
  4. Verizon — 2025 Data Breach Investigations Report.
$ ./read_next
Threat Intel

The Stryker Wiper Attack: What Every SMB Must Do About Microsoft Intune

Iran-linked hackers wiped a $25B medtech giant using nothing but a compromised Microsoft Intune admin account. Why your SMB is the next logical target — and what to do this week.