Malicious Chrome Extensions Steal Google and Telegram Data from Thousands
Updated
Updated · The Hacker News · Apr 14
Malicious Chrome Extensions Steal Google and Telegram Data from Thousands
20 articles · Updated · The Hacker News · Apr 14
Over 100 malicious Chrome extensions have been discovered stealing Google and Telegram data from around 20,000 users.
These extensions, posing as games and utilities, routed stolen credentials and browsing data to servers controlled by the same operator.
Experts warn affected users to remove the extensions immediately, log out of Telegram Web sessions, and review Google account access for suspicious activity.
How did one group bypass Google's security to publish over 100 malicious extensions?
With official stores compromised, how can users ever truly trust a browser extension?
What makes Telegram session hijacking a more severe threat than simple password theft?
Are we sacrificing our digital identity for the convenience of free browser add-ons?
Is Google's new security fix enough to stop hackers from stealing your online accounts?
Should platforms like Google be held liable for damages from malicious apps they host?
Discovery of 108 Malicious Chrome Extensions Stealing OAuth Tokens and Hijacking Telegram Sessions in April 2026
Overview
In April 2026, Socket researchers uncovered a large-scale campaign involving 108 malicious Chrome extensions controlled by a Russian-speaking threat actor using a Malware-as-a-Service model active since mid-2025. These extensions, distributed under five publisher identities, exploited OAuth2 tokens to steal Google account data and maintain persistent access even after password resets. They also hijacked Telegram Web sessions, redirected users to malicious URLs, and injected gambling ads by stripping security headers. Following the discovery and public report, Google began removing the extensions and launched an investigation. This campaign exposed significant vulnerabilities in the Chrome Web Store, prompting Google to accelerate security improvements like Manifest v3 and enhanced Safe Browsing.