cybersecurity researchers have identified a coordinated campaign involving 108 malicious Google chrome extensions that compromised the data of approximately 20,000 users. The extensions, designed to steal information from Google and Telegram accounts, were discovered communicating with a shared command infrastructure.
The security firm Socket uncovered the cluster of browser add-ons, which were available on the official Chrome Web Store. These extensions posed as tools for productivity, web development, and various utilities to attract users.
How the Malicious Extensions Operated
Once installed, the extensions connected to a common command-and-control server. Their primary functions included harvesting sensitive user data and injecting unwanted advertisements and arbitrary JavaScript code into every webpage a user visited. This technique, known as browser-level abuse, allowed the malware to operate on any site.
The data collection targeted login credentials and session information from major platforms, with Google and Telegram services specifically named. The arbitrary code execution created further risks, potentially enabling additional malicious activities beyond the initial data theft.
Discovery and Scale of the Campaign
Socket’s research team detected the campaign by analyzing the network behavior of numerous extensions that communicated with identical infrastructure. The finding highlights a significant security gap in the vetting process for browser extensions, even on official marketplaces.
An estimated 20,000 users downloaded the extensions before their removal. The global reach of the Chrome browser means affected individuals could be located anywhere in the world.
Official Response and User Guidance
Following the disclosure, Google has reportedly removed the identified extensions from the Chrome Web Store. The company typically conducts investigations into such campaigns and may take further action against developer accounts associated with the malware.
Security experts advise users to review their installed browser extensions regularly. Recommendations include removing any unfamiliar add-ons, checking extension permissions, and installing software only from trusted developers with clear, legitimate purposes.
Individuals who believe they may have installed a malicious extension should change their passwords for online accounts, especially for services like Google and Telegram. Enabling two-factor authentication is also strongly recommended to add an extra layer of security.
Ongoing Investigations and Future Implications
The discovery is expected to prompt a wider review of extensions on the Chrome Web Store. Security analysts anticipate that Google will enhance its automated and manual review processes to detect similar coordinated malicious activity in the future.
Researchers continue to monitor the command-and-control servers linked to this campaign for any remaining activity. The incident serves as a reminder of the persistent threat posed by supply-chain attacks, where malicious code is distributed through trusted platforms.
Source: Socket Security Research
