{"id":45382,"date":"2026-04-14T16:36:36","date_gmt":"2026-04-14T08:36:36","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/14\/108-malicious-chrome-extensions-steal-google-and-telegram-data-affecting-20000-users\/"},"modified":"2026-04-14T16:36:36","modified_gmt":"2026-04-14T08:36:36","slug":"108-malicious-chrome-extensions-steal-google-and-telegram-data-affecting-20000-users","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/14\/108-malicious-chrome-extensions-steal-google-and-telegram-data-affecting-20000-users\/","title":{"rendered":"108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users"},"content":{"rendered":"<div style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiEOmjr311c0yBDI593joFXQLaRdpm6DY67lbFv83YcYlRHaJkpocwXjDZDsV9F9DM-SavZwCOZ-fg10ncUJyW3ODlfBjqG6aK_ytdBfvXFGLswxeJ69oiZXfhGKdCgVO0Angg_qlYB6oAZYo-JQRKn4toBGWcS7OTDwPV0rkus7eNw-9BllIGJa2nkeKXn\/s1600\/chrome-telegram.jpg\" style=\"display: block; padding: 1em 0; text-align: center; clear: left; float: left;\"><img decoding=\"async\" border=\"0\" data-original-height=\"470\" data-original-width=\"900\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiEOmjr311c0yBDI593joFXQLaRdpm6DY67lbFv83YcYlRHaJkpocwXjDZDsV9F9DM-SavZwCOZ-fg10ncUJyW3ODlfBjqG6aK_ytdBfvXFGLswxeJ69oiZXfhGKdCgVO0Angg_qlYB6oAZYo-JQRKn4toBGWcS7OTDwPV0rkus7eNw-9BllIGJa2nkeKXn\/s1600\/chrome-telegram.jpg\" alt=\"108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users\"\/><\/a><\/div>\n<p>Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page&nbsp;visited.<\/p>\n<p>According to Socket, the extensions are published under five distinct publisher identities &#8211; Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt &#8211; and have collectively amassed about 20,000 installs in the Chrome Web&nbsp;Store.<\/p>\n<p>&#8220;All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator,&#8221; security researcher Kush&nbsp;Pandya <a href=\"https:\/\/socket.dev\/blog\/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2\">said<\/a> in an&nbsp;analysis.&nbsp;<\/p>\n<p>Of these, 54 add-ons steal Google account identity via OAuth2, 45 extensions contain a universal backdoor that opens arbitrary URLs as soon as the browser is started, and the remaining ones engage in a variety of malicious behaviors&nbsp;&#8211;<\/p>\n<ul>\n<li>Exfiltrate Telegram Web sessions every 15 seconds<\/li>\n<li>Strip YouTube and TikTok security headers (i.e., Content Security Policy, X-Frame-Options, and CORS) and inject gambling overlays and ads<\/li>\n<li>Inject content scripts into every page the user visits<\/li>\n<li>Proxy all translation requests through the threat actor&#8217;s server<\/li>\n<\/ul>\n<div style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCID6WdCf6NahLEXNxG3NBdHR_nMToGiNP1RUeIAFXerxXS2XzGKaoloqKKTd99YEZPnsRSoyE3wzEs3NTO_Q-cfGclNOO76hxbLwVvbeQTP2MD0Gf1TFEKEfKecz2VOuYOSz5bBIbyZ11d_Cql_a6VY90d9lQVxwnDjE4P4JGZu-snpVRd4KJw9Job0bS\/s1600\/tele.jpg\" style=\"clear: left; display: block; float: left; padding: 1em 0px; text-align: center;\"><img decoding=\"async\" border=\"0\" data-original-height=\"1280\" data-original-width=\"1280\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjCID6WdCf6NahLEXNxG3NBdHR_nMToGiNP1RUeIAFXerxXS2XzGKaoloqKKTd99YEZPnsRSoyE3wzEs3NTO_Q-cfGclNOO76hxbLwVvbeQTP2MD0Gf1TFEKEfKecz2VOuYOSz5bBIbyZ11d_Cql_a6VY90d9lQVxwnDjE4P4JGZu-snpVRd4KJw9Job0bS\/s1600\/tele.jpg\" alt=\"108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users\" \/><\/a><\/div>\n<p>In an attempt to lend a veneer of legitimacy, the identified extensions masquerade as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, text translation tools, and page utilities. The&nbsp;advertised functionality is diverse, aiming to cast a wide net, while sharing the same&nbsp;backend.<\/p>\n<p>Unbeknownst to the users, however, malicious code running in the background captures session information, injects arbitrary scripts, and opens URLs of the attacker&#8217;s&nbsp;choosing.<\/p>\n<p>Some of the identified extensions are listed below&nbsp;&#8211;<\/p>\n<ul>\n<li>Telegram Multi-account (ID: obifanppcpchlehkjipahhphbcbjekfa), which extracts the user_auth token used by Telegram Web and exfiltrates the data to a remote server. It&nbsp;can also overwrite localStorage with threat actor-supplied session data and force-load the messaging application, effectively replacing the victim&#8217;s active Telegram session with the threat actor&#8217;s chosen session.<\/li>\n<li>Web Client for Telegram &#8211; Teleside (ID: mdcfennpfgkngnibjbpnpaafcjnhcjno), which strips Telegram&#8217;s security headers and injects scripts to steal Telegram sessions.<\/li>\n<li>Formula Rush Racing Game (ID: akebbllmckjphjiojeioooidhnddnplj), which steals the user&#8217;s Google account identity the first time the victim clicks the sign-in button. This&nbsp;includes details like email, full name, profile picture URL, and Google account identifier.<\/li>\n<\/ul>\n<p>&#8220;Five extensions use Chrome&#8217;s declarativeNetRequest API to strip security headers from target sites before the page loads,&#8221; Socket said. &#8220;All 108 malicious extensions share the same backend, hosted at 144.126.135[.]238.&#8221;<\/p>\n<p>It&#8217;s currently not known who is behind the policy-violating extensions. However, an analysis of source code has uncovered Russian language comments across several&nbsp;add-ons.<\/p>\n<p>Users who have installed any of the extensions are advised to remove them with immediate effect and log out of all Telegram Web sessions from the Telegram mobile&nbsp;app.<\/p>\n<div><\/div>\n<div>Found this article interesting?  Follow us on <a href='https:\/\/news.google.com\/publications\/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ' rel='noopener' target='_blank'>Google News<\/a>, <a href='https:\/\/twitter.com\/thehackersnews' rel='noopener' target='_blank'>Twitter<\/a> and <a href='https:\/\/www.linkedin.com\/company\/thehackernews\/' rel='noopener' target='_blank'>LinkedIn<\/a> to read more exclusive content we post.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page&nbsp;visited.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-45382","post","type-post","status-publish","format-standard","hentry","category-thehackernews"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45382","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=45382"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45382\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=45382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=45382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=45382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}