Find notable cyber news and cases, enriched with sources, timelines, and signals.

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated Chrome Web Store extension operation is stealing Google OAuth2 Bearer tokens, deploying backdoors, and running ad fraud across more than 100 malicious extensions. The extensions share the same C2 infrastructure and were published under five publisher identities, showing a broader operation rather than isolated abuse. One extension steals Telegram Web sessions every 15 seconds and can swap a victim's browser into another account without the victim's knowledge.

Related Happenings

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
H score20 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...

GlassWorm OpenVSX sleeper extension campaign

Campaign
H score45 First: 28.04.2026 00:41 Last: 28.04.2026 00:41 Sources 1

About this happening: The **GlassWorm** operation has launched a **new wave** against **OpenVSX**, seeding **73 sleeper extensions** that become malicious after an **update** and can deliver malware to...

108 Malicious Chrome extension campaign

Campaign
H score37 First: 14.04.2026 14:30 Last: 14.04.2026 14:30 Sources 1

About this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
H score11 First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

How related: Researchers at application security company Socket discovered that the malicious extensions are part of a coordinated campaign that uses the same command-and-control (C2) infrastructure.

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Timeline

  1. 14.04.2026 23:33 2 articles · 2mo ago

    Malicious Chrome Web Store extension campaign disclosed

    Initial Disclosure

    Socket identified more than 100 malicious extensions in the official Chrome Web Store that steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. The extensions share the same C2 infrastructure on a Contabo VPS, were published under five distinct publisher identities, and include variants that use chrome.identity.getAuthToken, inject attacker-controlled HTML, steal Telegram Web sessions every 15 seconds, and inject ads into YouTube and TikTok. Socket notified Google about the campaign, and many of the malicious extensions remained available in the Chrome Web Store when disclosed.

    Show sources