Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated Chrome Web Store extension operation is stealing Google OAuth2 Bearer tokens, deploying backdoors, and running ad fraud across more than 100 malicious extensions. The extensions share the same C2 infrastructure and were published under five publisher identities, showing a broader operation rather than isolated abuse. One extension steals Telegram Web sessions every 15 seconds and can swap a victim's browser into another account without the victim's knowledge.

Related Happenings

GlassWorm OpenVSX sleeper extension campaign

Campaign
First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

Open Happening

108 Malicious Chrome extension campaign

Campaign
First: 14.04.2026 14:30 Last: 14.04.2026 14:30 Sources 1

About this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

How related: Researchers at application security company Socket discovered that the malicious extensions are part of a coordinated campaign that uses the same command-and-control (C2) infrastructure.

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

CrystalRAT Telegram-promoted malware-as-a-service

Malware Activity
First: 02.04.2026 02:17 Last: 02.04.2026 02:17 Sources 1

About this happening: The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...

Open Happening

ShieldGuard browser-extension data-harvesting malware

Malware Activity
First: 18.03.2026 16:15 Last: 18.03.2026 16:15 Sources 1

About this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...

Open Happening

Timeline

  1. 14.04.2026 23:33 2 articles · 1mo ago

    Malicious Chrome Web Store extension campaign disclosed

    Initial Disclosure

    Socket identified more than 100 malicious extensions in the official Chrome Web Store that steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. The extensions share the same C2 infrastructure on a Contabo VPS, were published under five distinct publisher identities, and include variants that use chrome.identity.getAuthToken, inject attacker-controlled HTML, steal Telegram Web sessions every 15 seconds, and inject ads into YouTube and TikTok. Socket notified Google about the campaign, and many of the malicious extensions remained available in the Chrome Web Store when disclosed.

    Show sources
    Open in new tab