{"id":589,"date":"2026-04-14T08:50:01","date_gmt":"2026-04-14T08:50:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=589"},"modified":"2026-04-14T08:50:01","modified_gmt":"2026-04-14T08:50:01","slug":"108-malicious-chrome-extensions-steal-google-and-telegram-data-affecting-20000-users","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=589","title":{"rendered":"108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 14, 2026<\/span><\/span><span class=\"p-tags\">Data Theft \/ Browser Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiEOmjr311c0yBDI593joFXQLaRdpm6DY67lbFv83YcYlRHaJkpocwXjDZDsV9F9DM-SavZwCOZ-fg10ncUJyW3ODlfBjqG6aK_ytdBfvXFGLswxeJ69oiZXfhGKdCgVO0Angg_qlYB6oAZYo-JQRKn4toBGWcS7OTDwPV0rkus7eNw-9BllIGJa2nkeKXn\/s1700-e365\/chrome-telegram.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page\u00a0visited.<\/p>\n<p>According to Socket, the extensions are published under five distinct publisher identities \u2013 Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt \u2013 and have collectively amassed about 20,000 installs in the Chrome Web\u00a0Store.<\/p>\n<p>\u00abAll 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator,\u00bb security researcher Kush\u00a0Pandya <a href=\"https:\/\/socket.dev\/blog\/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2\">said<\/a> in an\u00a0analysis.\u00a0<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Of these, 54 add-ons steal Google account identity via OAuth2, 45 extensions contain a universal backdoor that opens arbitrary URLs as soon as the browser is started, and the remaining ones engage in a variety of malicious behaviors\u00a0&#8211;<\/p>\n<ul>\n<li>Exfiltrate Telegram Web sessions every 15 seconds<\/li>\n<li>Strip YouTube and TikTok security headers (i.e., Content Security Policy, X-Frame-Options, and CORS) and inject gambling overlays and ads<\/li>\n<li>Inject content scripts into every page the user visits<\/li>\n<li>Proxy all translation requests through the threat actor&#8217;s server<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCID6WdCf6NahLEXNxG3NBdHR_nMToGiNP1RUeIAFXerxXS2XzGKaoloqKKTd99YEZPnsRSoyE3wzEs3NTO_Q-cfGclNOO76hxbLwVvbeQTP2MD0Gf1TFEKEfKecz2VOuYOSz5bBIbyZ11d_Cql_a6VY90d9lQVxwnDjE4P4JGZu-snpVRd4KJw9Job0bS\/s1700-e365\/tele.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCID6WdCf6NahLEXNxG3NBdHR_nMToGiNP1RUeIAFXerxXS2XzGKaoloqKKTd99YEZPnsRSoyE3wzEs3NTO_Q-cfGclNOO76hxbLwVvbeQTP2MD0Gf1TFEKEfKecz2VOuYOSz5bBIbyZ11d_Cql_a6VY90d9lQVxwnDjE4P4JGZu-snpVRd4KJw9Job0bS\/s1700-e365\/tele.jpg\" alt=\"\" border=\"0\" data-original-height=\"1280\" data-original-width=\"1280\"\/><\/a><\/div>\n<p>In an attempt to lend a veneer of legitimacy, the identified extensions masquerade as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, text translation tools, and page utilities. The\u00a0advertised functionality is diverse, aiming to cast a wide net, while sharing the same\u00a0backend.<\/p>\n<p>Unbeknownst to the users, however, malicious code running in the background captures session information, injects arbitrary scripts, and opens URLs of the attacker&#8217;s\u00a0choosing.<\/p>\n<p>Some of the identified extensions are listed below\u00a0&#8211;<\/p>\n<ul>\n<li>Telegram Multi-account (ID: obifanppcpchlehkjipahhphbcbjekfa), which extracts the user_auth token used by Telegram Web and exfiltrates the data to a remote server. It\u00a0can also overwrite localStorage with threat actor-supplied session data and force-load the messaging application, effectively replacing the victim&#8217;s active Telegram session with the threat actor&#8217;s chosen session.<\/li>\n<li>Web Client for Telegram &#8211; Teleside (ID: mdcfennpfgkngnibjbpnpaafcjnhcjno), which strips Telegram&#8217;s security headers and injects scripts to steal Telegram sessions.<\/li>\n<li>Formula Rush Racing Game (ID: akebbllmckjphjiojeioooidhnddnplj), which steals the user&#8217;s Google account identity the first time the victim clicks the sign-in button. This\u00a0includes details like email, full name, profile picture URL, and Google account identifier.<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abFive extensions use Chrome&#8217;s declarativeNetRequest API to strip security headers from target sites before the page loads,\u00bb Socket said. \u00abAll 108 malicious extensions share the same backend, hosted at 144.126.135[.]238.\u00bb<\/p>\n<p>It&#8217;s currently not known who is behind the policy-violating extensions. However, an analysis of source code has uncovered Russian language comments across several\u00a0add-ons.<\/p>\n<p>Users who have installed any of the extensions are advised to remove them with immediate effect and log out of all Telegram Web sessions from the Telegram mobile\u00a0app.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 14, 2026Data Theft \/ Browser Security Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with&hellip;<\/p>\n","protected":false},"author":1,"featured_media":590,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[657,182,38,361,2,33,571,351,826],"class_list":["post-589","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-affecting","tag-chrome","tag-data","tag-extensions","tag-google","tag-malicious","tag-steal","tag-telegram","tag-users"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=589"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/589\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/590"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}