Over 100 Malicious Chrome Extensions Steal Google Tokens, Hijack Telegram Sessions, a

[harlan4096]

Security researchers at Socket have identified over 100 malicious extensions in the Chrome Web Store that are part of a coordinated campaign. These extensions steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. At the time Socket published its report, all affected extensions were still available in the store. Google has not yet responded to requests for comment.

The extensions were published under five different publisher profiles across various categories, including Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and browser utilities. Socket found evidence in the code indicating the campaign is tied to a Russian malware-as-a-service operation.

What the Malicious Chrome Extensions Do

The campaign operates with a central backend hosted on a Contabo VPS, supported by multiple subdomains that handle session hijacking, identity collection, command execution, and monetization. The largest cluster involves 78 extensions that inject attacker-controlled HTML into the browser interface using the innerHTML property.

Continue Reading...