108 Malicious Chrome Extensions Found Stealing Sessions and Google Accounts in Coordinated Campaign
Security researchers at Socket have uncovered a campaign of 108 malicious Chrome extensions that steal session cookies, harvest Google account data via OAuth2, and inject ads, affecting roughly 20,000 users.
Security researchers at Socket have uncovered a large-scale campaign involving 108 malicious Chrome extensions that collectively compromise roughly 20,000 users. The extensions, published under five separate developer identities, all share a single command-and-control (C2) infrastructure, allowing operators to aggregate stolen data in one place. The campaign spans categories such as gaming, social media tools, and translation utilities, making the extensions appear legitimate while they secretly collect sensitive information.
The researchers identified several distinct attack techniques deployed simultaneously. One of the most serious is a Telegram-focused extension that captures active web sessions every 15 seconds, enabling full account access without passwords or multi-factor authentication (MFA). Other extensions harvest Google account details using OAuth2 permissions, inject ads by bypassing browser security protections, or open arbitrary web pages through hidden backdoors. Many of the extensions operate continuously in the background, even if users never actively interact with them.
Key behaviors identified include 54 extensions collecting Google profile data, 45 extensions containing a persistent backdoor triggered at browser start-up, and multiple tools injecting scripts or ads into popular platforms like YouTube and TikTok. One extension acts as a translation proxy through attacker-controlled servers. According to Socket, the extensions often deliver on their advertised functionality—such as games or messaging tools—while masking malicious activity running in the background, a dual behavior that complicates detection for users.
The infrastructure supports a Malware-as-a-Service (MaaS) model, where stolen data and active sessions can be accessed by third parties. Researchers linked the entire operation to a single operator through shared cloud resources, reused code, and overlapping account identifiers. All 108 extensions were still available at the time of discovery. The appropriate security teams have been notified, and takedown requests have been submitted to Google. Infosecurity contacted Google for comment but has not yet received a response.
This campaign underscores the growing sophistication of browser-based threats, where attackers combine session hijacking, credential theft, and ad injection under a unified operational model. The use of MaaS further lowers the barrier for other threat actors to leverage stolen data. Users are advised to review their installed extensions, remove any unfamiliar ones, and enable two-factor authentication where possible. Organizations should consider deploying browser extension monitoring tools to detect suspicious behavior.
The discovery adds to a troubling trend of malicious extensions evading Chrome Web Store review processes. Previous campaigns have similarly abused legitimate-looking extensions to steal data, but the scale and coordination of this operation—108 extensions under five identities—marks a significant escalation. As browser-based attacks become more prevalent, both Google and users must remain vigilant against these hidden threats.