108 Malicious Chrome Extensions Were Hiding in Plain Sight
By Paul Nieto IIIApr 15, 20267 min read
Most small business owners don't think twice about browser extensions — a tool to manage tabs, a sidebar for a messaging app, a game to kill five minutes. Researchers just proved they shouldn't be so relaxed.
In mid-April 2026 (Socket's threat-research team published the analysis on April 13; coverage followed on the 14th), Socket revealed that 108 malicious Google Chrome extensions were operating as a coordinated data-theft campaign, all reporting to the same command-and-control server. Collectively they amassed around 20,000 installs in the Chrome Web Store before being identified. Chrome holds well over 60% of the global browser market, making it the dominant attack surface for any threat actor targeting everyday users.
What these extensions were doing
They disguised themselves as Telegram sidebar clients, YouTube and TikTok enhancers, slot-machine games, and translation tools — published under five fake publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, InterAlt) to avoid detection. All 108 routed stolen credentials, identities, and browsing data to the same operator. The breakdown:
54 extensions stole Google account identity via OAuth2 — capturing email, full name, profile picture, and account identifiers the moment a user clicked sign-in.
45 extensions contained a universal backdoor that opened attacker-controlled URLs every time the browser started.
The worst single offender (a "Telegram Multi-account" extension) exfiltrated Telegram Web session tokens to the C2 every 15 seconds.
They injected content scripts into every page, gave the attacker full visibility into browser activity, and stripped security headers (CSP, CORS) from target sites before pages loaded.
Source-code analysis showed Russian-language comments across several extensions, though formal attribution hasn't been confirmed.
Why SMBs are especially exposed
Large enterprises have endpoint management, browser policies, and security teams watching for anomalies. Most SMBs have none of that. Employees install extensions freely — often on the same machines used for company email, cloud storage, accounting, and banking. A single compromised extension can silently harvest session tokens that give an attacker access to all of those systems without ever needing a password. Per the 2025 Verizon DBIR, credential abuse remains a leading initial-access method against small businesses, and browser-based harvesting is one of the cleanest ways to achieve it — no phishing email, no obvious red flag. The Chrome Web Store has improved vetting, but this campaign proves determined actors can still publish, accumulate thousands of installs, and operate for an extended period before detection.
What you should do right now
Audit your extensions at chrome://extensions — if you don't recognize or actively use it, remove it.
Remove any extensions published under Yana Project, GameGen, SideGames, Rodeo Games, or InterAlt.
Log out of all Telegram Web sessions from the Telegram mobile app under Settings > Devices.
Review your Google account at myaccount.google.com/security for unfamiliar sign-ins or connected apps.
Rotate credentials for any accounts accessed while a compromised extension may have been active.
Set an extension policy for your team — define what's approved and communicate it.
The bottom line
108 extensions. 20,000 installs. One shared server silently collecting credentials and hijacking sessions across every page your employees visited. The browser is the new perimeter — attackers know that, and most SMBs are still acting like it isn't.
Would your current setup catch something like this? Browser security is built into our layered endpoint protection — extension behavior, session access, and suspicious calls from inside the browser.