Chrome Web Store backdoor campaign: 108 malicious extensions steal data and account access tokens

Socket reports that a network of 108 Chrome extensions in the Chrome Web Store has been found to establish backdoors and steal data. The extensions were disguised as widely used tools, including a Telegram session manager, a YouTube UI optimizer, TikTok-related tools, mini-games, and a translation utility. Researchers say the operation is run by five developer entities—Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt—but all connect to a single command-and-control (C2) server.

By the time of discovery, the tools had already infiltrated and stolen data from thousands of user accounts, indicating a coordinated data-theft scheme with a clear objective.

How the extensions targeted users

Technical analysis indicates the attackers did not only collect basic information; they also targeted deep user access:

• Hijacking Telegram: Malicious extensions can extract session data, enabling attackers to access victims’ Telegram accounts without passwords or multi-factor authentication (MFA).
• Exploiting personal data: Many extensions use OAuth2 to access personal data such as email addresses, full names, and account IDs as soon as users log in.
• Backdoors and malicious navigation: A large number of extensions include malicious code that can automatically navigate the browser or open suspicious pages, potentially supporting ad-spam campaigns or luring users to scam sites.

Researchers say the extensions request excessive access to webpage data, which can allow injection of malicious code to monitor user behavior and exfiltrate sensitive information.

Review process failure and centralized control

Although Google maintains that the Chrome Web Store is a safe environment, researchers report that more than 100 extensions sharing a similar malicious code structure slipped through the review process. They note that while the extensions have different names and functions, they all send data to the same command-and-control IP address.

The presence of a central C2 server suggests the activity is not isolated, but part of a coordinated campaign designed to maximize the amount of data stolen from Chrome users.

Impact and user guidance

The incident highlights that browsers can store key elements of users’ digital lives, making careful extension management important.

Researchers recommend the following steps:

• Immediate checks: Review the list of installed extensions and remove tools from unfamiliar developers.
• Limit installations: Install only extensions that are truly necessary and come from reputable, long-standing sources.
• Be wary of permissions: Question extensions that request “read and change all data on the websites you visit” permissions.