Researchers at Socket uncovered 108 malicious Chrome extensions that steal user data and inject ads across web pages. The add-ons, downloaded about 20,000 times, send credentials, browsing data and identities to attacker-controlled servers. Several also steal Google account details, hijack Telegram sessions and open arbitrary URLs via built-in backdoors.

Cybersecurity researchers have discovered 108 malicious Google Chrome extensions that communicate with the same command-and-control (C2) infrastructure to steal user data and enable browser-level abuse.

The extensions inject ads and arbitrary JavaScript code into every web page visited by users. They were published under five distinct publisher identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt.

Collectively, the extensions amassed about 20,000 installs in the Chrome Web Store. All 108 extensions route stolen credentials, user identities, and browsing data to servers controlled by the same operator.

54 of the extensions steal Google account identity via OAuth2, capturing email, full name, profile picture URL, and Google account identifier when users click the sign-in button.