108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

What happened

A cluster of 108 malicious Google Chrome extensions was found using the same command-and-control infrastructure to steal user data and abuse browsers by injecting ads and arbitrary JavaScript into visited web pages. The extensions were published under five identities — Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt — and together reached about 20,000 installs in the Chrome Web Store. Researchers said all 108 extensions routed stolen credentials, user identities, and browsing data to the same backend. Among the observed behaviors, 54 extensions stole Google account identity data through OAuth2, 45 included a universal backdoor that opened arbitrary URLs when the browser started, and others exfiltrated Telegram Web sessions every 15 seconds, stripped security headers from YouTube and TikTok, injected scripts into visited pages, and proxied translation requests through attacker-controlled servers. 

Who is affected

The direct exposure affects users who installed any of the 108 malicious Chrome extensions. The campaign targeted Google account identity data, Telegram Web session information, browsing activity, and other browser-side information, with the affected extensions presented as Telegram clients, slot and Keno games, YouTube and TikTok tools, translation utilities, and page helpers. 

Why CISOs should care

This incident matters because it shows how browser extensions can become a direct path to identity theft, session hijacking, arbitrary script injection, and persistent browser-level abuse. It also highlights how seemingly unrelated extensions can share the same operator, infrastructure, and backend even when they appear to serve very different user functions. 

3 practical actions

1. Audit installed extensions: Review managed browsers for any of the 108 identified extensions and remove them immediately from affected systems. 
2. Revoke exposed sessions: Log out of all Telegram Web sessions from the Telegram mobile app and treat affected Google identities as potentially exposed where the installed extensions included OAuth2 data theft. 
3. Tighten browser extension governance: Restrict extension installation to approved allowlists where possible, since the campaign used a wide mix of seemingly legitimate tools to cast a broad net. 

For more news about malicious browser tools and credential-stealing campaigns, click Malware to read more.