惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

酷 壳 – CoolShell
酷 壳 – CoolShell
GbyAI
GbyAI
SecWiki News
SecWiki News
Project Zero
Project Zero
C
Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
P
Privacy International News Feed
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
A
Arctic Wolf
Security Latest
Security Latest
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog
Apple Machine Learning Research
Apple Machine Learning Research
T
Tailwind CSS Blog
The Hacker News
The Hacker News
T
Tenable Blog
雷峰网
雷峰网
有赞技术团队
有赞技术团队
V
V2EX
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threat Research - Cisco Blogs
T
Threatpost
AWS News Blog
AWS News Blog
L
LINUX DO - 热门话题
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
SegmentFault 最新的问题
月光博客
月光博客
Spread Privacy
Spread Privacy
S
Secure Thoughts
宝玉的分享
宝玉的分享
博客园 - 三生石上(FineUI控件)
Forbes - Security
Forbes - Security
T
The Exploit Database - CXSecurity.com
G
GRAHAM CLULEY
The Last Watchdog
The Last Watchdog
Y
Y Combinator Blog
I
Intezer
博客园 - 【当耐特】
B
Blog RSS Feed
Attack and Defense Labs
Attack and Defense Labs
I
InfoQ
博客园 - 叶小钗
Cyberwarzone
Cyberwarzone
V2EX - 技术
V2EX - 技术
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hugging Face - Blog
Hugging Face - Blog
H
Help Net Security
C
CERT Recently Published Vulnerability Notes

GRAHAM CLULEY

Anubis ransomware: what you need to know Smashing Security podcast #476: Remote-control rickshaws and rogue book marketers The ransomware negotiator who was working for the other side Invited to a "job interview" with Netflix or OpenAI? Beware! Your Google password could be at risk Smashing Security podcast #475: JadePuffer - the AI that ran a ransomware attack all by itself Two arrested over credit card phishing - as the Netherlands is named Europe's worst for payment fraud The Gentlemen ransomware: what you need to know Smashing Security podcast #474: Polymarket can predict the future. So how did it miss this hack? Scammers race to cash in on Venezuelan earthquake disaster USB drives carrying China-linked malware infected Japanese military networks for nearly a year Smashing Security podcast #473: How a hacker could have Rickrolled the entire World Cup Hacker hijacks Brazil's national alert system, sending "misanthropy" to millions of phones Apple's Hide My Email tweak leaves privacy fans fuming Imposter scams cost Americans $3.5 billion in 2025 – and it’s getting worse Smashing Security podcast #472: AI gets hacked, and BitLocker gets bypassed Maine forced to take down data breach portal after fake notices filed with authorities Privacy own-goal: World Cup blunder leaks Lionel Messi's passport details Silent Ransom Group: what you need to know Smashing Security podcast #471: This AI worm just rewrote its own rules Why schools remain one of cybercriminals' favourite targets Got a LinkedIn message from a recruiter? It might be Chinese intelligence, warn FBI and MI5 Meta’s own AI chatbot to blame for Instagram accounts being stolen in seconds Smashing Security podcast #470: This AI security flaw might be impossible to fix Police arrest man following hack of Ajax football club MyPillow listed on ransomware gang's leak site, but denies it has been breached Smashing Security podcast #469: What your Oura ring won’t tell you FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts — no password required Defenders fall behind, as AI rewrites the rules of a data breach Smashing Security podcast #468: High-speed train hacks and homicidal lawnmowers FBI warns students and staff that ShinyHunters may come knocking after Canvas breach Suspected Dream Market kingpin arrested after gold bars sent to his home address When ransomware gets physical: cybercriminals turn to threats of violence Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities One in eight UK workers has sold their company passwords, and bosses think it’s fine Inside Department 4: Russia's secret school for hackers Sri Lanka makes 37 arrests as it raids another scam centre Smashing Security podcast #466: Meta sees everything, Copy Fail, and a deepfake gets hired Teenager alleged to be Scattered Spider hacker arrested in Finland, faces US extradition Iran-linked Handala hackers leak US Marines data, send chilling WhatsApp threats Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions Alleged Silk Typhoon hacker extradited to the United States to face charges French police arrest 21-year-old "HexDex" hacker over 100 alleged data breaches Smashing Security podcast #464: Rockstar got hacked. The data was junk. The secrets it revealed were not Singer loses life savings to fake wallet downloaded from the Apple App Store Sometimes changing the password on your email mailbox isn’t enough AI and cryptocurrency scams are costing Americans billions, FBI reports Life imprisonment for Cambodian scam compound operators - but will it make a difference? Nigerian romance scammer jailed after being caught out by fellow fraudster Alleged RedLine malware developer extradited to United States Iranian hackers breach FBI director's personal email, and post his CV and photos online World Leaks data extortion: What you need to know How one man used 10,000 bots to steal $8,000,000 from music artists Denver's crosswalks hacked to broadcast anti-Trump messages LeakNet ransomware: what you need to know Free parking in Russia after Distributed Denial-of-Service attack knocks city's parking system offline Fraudsters are using public planning records to target permit applicants Your Signal account is safe - unless you fall for this trick Twitter suspended 800 million accounts last year — so why does manipulation remain so rampant? How hackers bypassed MFA with a $120 phishing kit - until a global takedown shut it down They seized $4.8m in crypto... then gave the master key to the internet
108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users
Graham CLULEY · 2026-04-15 · via GRAHAM CLULEY

What looked like harmless Chrome add-ons for Telegram, YouTube, TikTok, translation, or casual games were in fact part of a coordinated data-theft campaign affecting roughly 20,000 users. The case is another reminder that malicious browser extensions can quietly siphon credentials, hijack sessions, and tamper with web traffic even when they are downloaded from an official store.

Key Takeaways

  • Researchers identified 108 malicious Chrome extensions tied to a single command-and-control infrastructure, suggesting a coordinated operation rather than isolated abuse.
  • The extensions were disguised as useful or entertaining tools, including Telegram helpers, translation tools, slot games, and YouTube or TikTok enhancers, and had accumulated around 20,000 installs before discovery.
  • The campaign stole Google account data, exfiltrated Telegram Web sessions, opened arbitrary URLs at browser startup, and in some cases injected ads or stripped security protections from popular sites.
  • Users who installed any of the flagged extensions should remove them immediately, and anyone affected by a Telegram-themed add-on should also log out of all Telegram Web sessions to cut off possible hijacking.

Cybersecurity researchers have revealed that 108 malicious Google Chrome extensions have been quietly stealing user credentials, hijacking Telegram sessions, and injecting unwanted ads and scripts into browsers - all reporting back to the same central point.

The discovery by researchers at Socket, found that all 108 extensions were communicating with a single command-and-control server, strongly suggesting they are the work of one group of hackers.

Between them, before being identified, the extensions had racked up approximately 20,000 installs from the Chrome Web Store.

The malicious add-ons were published under five different publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) in an apparent attempt to avoid detection.

And to further disguise the reality of what was going on, each malicious Google Chrome extension adopted differing disguises - including posing as a Telegram sidebar client, slot machine games, tools to enhance YouTube and TikTok, or translation tools.

Behind the scenes, according to researchers, all 108 extensions were transferring stolen credentials, user identities, and browsing data to remote servers under the control of the hackers.

Specific malicious behaviours included:

  • 54 extensions that stole Google account details - including email addresses, full names, profile pictures, and Google account IDs
  • 45 extensions that contained a backdoor which could open arbitrary URLs upon browser startup
  • Privacy-busting extensions that exfiltrated Telegram Web sessions every 15 seconds, and in some cases even replacing the victim's active session with of the hackers' choosing
  • Extensions that stripped security headers from YouTube and TikTok, and injected gambling ads.

Although the identity of those behind the campaign remains unknown, it is perhaps telling that Russian-language comments were found in the source code of several of the add-ons.

If you're a regular reader of Hot for Security then you will know that browser extension security has been a significant problem over the years.

Back in 2018, for instance, the Mega.nz Chrome extension was compromised via a malicious update, leading to the scooping-up of login credentials and cryptocurrency private keys belonging to silently harvesting login credentials and cryptocurrency private keys from web surfers.

In 2020, researchers found 49 browser extensions targeting cryptocurrency wallets, which had been promoted via Google Ads and lauded with fake five-star reviews to appear trustworthy.

More recently, in 2023, a rogue "ChatGPT for Google" extension stole Facebook session cookies from over 9,000 users, and used them to spread malvertising.

And just this January, 16 more fake ChatGPT-themed extensions were found to be stealing authentication tokens.

Arguably the most alarming incident of all though occurred at Christmas in 2024, when a phishing email tricked a worker into granting a malicious app access to Cyberhaven's Chrome Web Store account. That allowed attackers to push a poisoned update to hundreds of thousands of users. That attack was believed to be part of a broader campaign that compromised over 35 extensions and affected an estimated 2.6 million people.

If you have installed any of the 108 extensions identified in this latest malicious campaign, your best course of action is to remove them immediately.

Furthermore, anyone who installed a dodgy Telegram-related extension should also log out of all Telegram Web sessions via the Telegram mobile app, as attackers may have already hijacked them.

More generally, don't you think it's high time you did a spring clean of your Chrome extensions? Do you actually use each one? Do the permissions they request seem proportionate for what they do? If in doubt, remove it.

After all, a lean browser with less extensions is inevitably a safer browser.