CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Compromised Chrome Extensions Campaign Targeting Google and Telegram Accounts

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A coordinated campaign of 108 malicious Chrome extensions has been identified, targeting approximately 20,000 users to steal Google and Telegram session data via a shared command-and-control (C2) infrastructure. The extensions exfiltrate sensitive credentials, inject arbitrary scripts, and strip security headers while masquerading as legitimate utilities under five publisher identities. At least 54 extensions steal Google account identities via OAuth2, 45 contain universal backdoors opening arbitrary URLs on startup, and some target Telegram Web sessions every 15 seconds. The campaign was first reported on April 14, 2026, with security researchers at Socket uncovering coordinated backend systems and shared operational patterns across all extensions. The operation functions as a Malware-as-a-Service (MaaS) model, allowing third parties to access stolen data and active sessions. All 108 extensions remained available at discovery, prompting takedown requests.

Timeline

  1. 14.04.2026 11:35 2 articles · 7h ago

    Chrome Extensions Campaign Exfiltrating Google and Telegram Credentials via Shared C2

    Security researchers at Socket identify coordinated backend systems and shared operational patterns across all 108 extensions, confirming a Malware-as-a-Service (MaaS) model where stolen data and active sessions are accessible to third parties through shared cloud resources, reused code, and overlapping account identifiers. All extensions remain active at discovery, leading to submitted takedown requests.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Fake AI Assistant Extensions in Google Chrome Web Store Exfiltrate Credentials and Monitor Emails

Over 260,000 Google Chrome users downloaded fake AI assistant extensions that steal login credentials, monitor emails, and enable remote access. Researchers at LayerX identified over 30 malicious extensions as part of a coordinated campaign called AiFrame. The extensions mimicked popular AI assistants like Claude AI, ChatGPT, Grok, and Google Gemini. The campaign used extension spraying to evade takedowns, directing users to remote infrastructure to avoid detection. The extensions exfiltrate data from Chrome and Gmail to attacker-controlled servers. LayerX warns that these extensions act as general-purpose access brokers, capable of harvesting data and monitoring user behavior. Many extensions have been removed from the Chrome Web Store, but users who downloaded them remain at risk. Additionally, cybersecurity researchers have discovered a malicious Google Chrome extension named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl) that steals TOTP codes for Facebook and Meta Business accounts, Business Manager contact lists, and analytics data. The extension exfiltrates data to infrastructure controlled by the threat actor, including a backend at getauth[.]pro and a Telegram channel. The extension has 33 users as of writing and was first uploaded to the Chrome Web Store on March 1, 2025. About 500,000 VKontakte users have had their accounts silently hijacked through Chrome extensions masquerading as VK customization tools. The large-scale campaign has been codenamed VK Styles. The malware embedded in the extensions is designed to engage in active account manipulation by automatically subscribing users to the attacker's VK groups, resetting account settings every 30 days to override user preferences, manipulating CSRF tokens to bypass VK's security protections, and maintaining persistent control. A report published by Q Continuum found a huge collection of 287 Chrome extensions that exfiltrate browsing history to data brokers. These extensions have 37.4 million installations, representing roughly 1% of the global Chrome userbase.

Open in new tab

DarkSpectre Campaigns Target 8.8 Million Users with Malicious Browser Extensions

A Chinese threat actor, DarkSpectre, has been linked to three malicious browser extension campaigns—ShadyPanda, GhostPoster, and The Zoom Stealer—which have collectively impacted 8.8 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox over seven years. The campaigns facilitate data theft, search query hijacking, affiliate fraud, and corporate espionage by exfiltrating meeting-related data from video conferencing platforms. Additionally, five new malicious Chrome extensions impersonating HR and ERP platforms have been discovered, targeting Workday, NetSuite, and SAP SuccessFactors to hijack accounts. These extensions steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking. The extensions, some of which were recently taken down, used delayed activation and benign updates to evade detection and build trust before deploying malicious functionality. The extensions were designed to look polished and professional, with some claiming to contain security features to prevent account compromise. They engaged in a range of actions to take control of accounts, including extracting authentication cookies and uploading them to a command and control (C2) server every 60 seconds. The extensions prevented passwords from being changed to help ensure stolen access tokens remained valid indefinitely and prevented security teams from locking out compromised accounts during remediation. Administrators attempting to disable an affected user's account encountered a blank page and redirect loop. Socket recommended that organizations implement Chrome Enterprise extension allowlists to prevent installation of unauthorized extensions and monitor for extensions targeting the same enterprise platforms with similar permission requests.

Open in new tab

GhostPoster Campaign Uses Steganography in Firefox Addon Logos

The GhostPoster campaign, which hides malicious JavaScript code in the PNG logos of Firefox extensions, has been discovered to have infected 17 additional extensions across Chrome, Firefox, and Edge stores, accumulating a total of 840,000 installations. The campaign, first reported by Koi Security researchers in December, involves extensions that monitor browser activity and plant a backdoor. The hidden script acts as a loader that fetches the main payload from a remote server, retrieving it only 10% of the time to evade detection. The payload can hijack affiliate links, inject tracking code, and commit click and ad fraud. The campaign originated on Microsoft Edge and expanded to Firefox and Chrome, with some extensions present in browser add-on stores since 2020. A more advanced variant of the payload was identified in the 'Instagram Downloader' extension, which uses a bundled image file as a covert payload container. The newly identified extensions have been removed from Mozilla's and Microsoft's add-on stores, but users who installed them may still be at risk. Google has confirmed the removal of all identified extensions from the Chrome Web Store.

Open in new tab

ShadyPanda Browser Extensions Campaign Exploits 4.3M Installs

The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware over multiple phases. The extensions, discovered by Koi Security, engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The extensions collect browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Users are advised to remove these extensions and reset their account passwords. The ShadyPanda campaign used a supply-chain attack tactic by publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. The compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser, capable of downloading and running arbitrary JavaScript with full access to the browser's data and capabilities. The extensions could steal session cookies and tokens, allowing them to impersonate entire SaaS accounts such as Microsoft 365 or Google Workspace. The risk of malicious browser extensions extends beyond individual users, as they can access cookies, local storage, cloud auth sessions, active web content, and file downloads, blurring the line between endpoint security and cloud security. Organizations should enforce extension allow lists, treat extension access like OAuth access, audit extension permissions regularly, and monitor for suspicious extension behavior to reduce the risk of malicious extensions. Modern SaaS security platforms, such as Reco's Dynamic SaaS Security platform, can help organizations monitor and detect suspicious activity related to browser extensions in real time.

Open in new tab