Find notable cyber news and cases, enriched with sources, timelines, and signals.

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First reported
Last updated
Happening score
H score 11
2 unique sources, 2 articles

Summary

Hide ▲

108 malicious Google Chrome extensions were found to use the same C2 infrastructure to steal credentials, sessions, and browsing data while injecting ads and arbitrary JavaScript into visited pages. The activity matters because the extensions had about 20,000 installs and could manipulate browsing sessions across Google Chrome users at scale. Several add-ons also stripped security headers, exfiltrated Telegram Web sessions, and opened attacker-controlled URLs. The shared backend was hosted at 144.126.135[.]238, indicating coordinated malicious operation rather than isolated add-on abuse.

Related Happenings

Search for perplexity ai malicious Chrome extension

Malware Activity
H score29 First: 29.06.2026 21:40 Last: 29.06.2026 21:40 Sources 1

About this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension

Technical Analysis
H score23 First: 25.06.2026 17:12 Last: 25.06.2026 17:12 Sources 1

About this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
H score20 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...

Chrome extension PUP distribution network with fake organic traffic

Malware Activity
H score18 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...

Timeline

  1. 14.04.2026 11:35 2 articles · 2mo ago

    Researchers disclose 108 malicious Google Chrome extensions sharing one backend

    Initial Disclosure

    Researchers identified 108 malicious Google Chrome extensions published under five publisher identities and tied to the same command-and-control backend at 144.126.135[.]238; the extensions stole Google account identity and Telegram Web data, exfiltrated browsing information, injected ads and arbitrary JavaScript into visited pages, stripped security headers on YouTube and TikTok, and used a universal backdoor to open attacker-controlled URLs.

    Show sources