108 Malicious Chrome extension campaign
Campaign
Summary
Hide ▲
Show ▼
A large-scale campaign of 108 malicious Chrome extensions exposed roughly 20,000 users to session hijacking and data theft through a shared C2 infrastructure.
Related Happenings
LofyGang Minecraft LofyStealer campaign
Campaign
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
GlassWorm OpenVSX sleeper extension campaign
Campaign
First: 28.04.2026 00:41
Last: 28.04.2026 00:41
Sources 1
About this happening:
The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
GlassWorm OpenVSX sleeper extension campaign
CampaignAbout this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
QuickLens and ShotBird malicious Chrome extension update chain
Malware Activity
First: 09.03.2026 12:28
Last: 09.03.2026 12:28
Sources 1
About this happening:
The **QuickLens** and **ShotBird** Chrome extensions have become **malicious after ownership transfer**, turning trusted add-ons into a delivery path for code injection and data t...
QuickLens and ShotBird malicious Chrome extension update chain
Malware ActivityAbout this happening: The **QuickLens** and **ShotBird** Chrome extensions have become **malicious after ownership transfer**, turning trusted add-ons into a delivery path for code injection and data t...
Timeline
-
14.04.2026 14:30 2 articles · 1mo ago
Socket discloses 108 malicious Chrome extensions
Initial DisclosureSocket disclosed a large-scale campaign involving 108 malicious Chrome extensions that affected roughly 20,000 users, with the extensions disguised as legitimate gaming, social media, messaging, and translation tools while sharing backend systems and a single C2 infrastructure to steal data. The operation included a Telegram-focused extension that captured active web sessions every 15 seconds, tools that abused OAuth2 permissions to collect Google account data, extensions that injected scripts or ads into YouTube and TikTok, and persistent backdoors triggered at browser start-up; the extensions were still available at discovery, and security teams were notified with takedown requests submitted.
Show sources
- Malicious Chrome Extensions Campaign Exposes User Data — www.infosecurity-magazine.com — 14.04.2026 14:30
- Malicious Chrome Extensions Campaign Exposes User Data — www.infosecurity-magazine.com — 14.04.2026 14:30