108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

Key Points:

• Cybersecurity researchers uncovered a campaign involving 108 malicious Google Chrome extensions linked to the same command-and-control infrastructure, designed to steal user data and inject ads and arbitrary JavaScript into visited web pages.
• These extensions, published under five different identities, have collectively been installed about 20,000 times and perform activities such as stealing Google account credentials, exfiltrating Telegram Web sessions, stripping security headers from sites like YouTube and TikTok, and proxying translation requests through attacker servers.
• The extensions disguise themselves as legitimate tools including Telegram sidebar clients, games, and content enhancers, but secretly capture session data, inject malicious scripts, and open attacker-chosen URLs without user consent.
• Specific examples include Telegram Multi-account and Web Client for Telegram extensions that steal Telegram session tokens, and Formula Rush Racing Game which harvests Google account details upon sign-in.
• Users are strongly advised to uninstall these extensions immediately and log out of all Telegram Web sessions to mitigate the risk, as the extensions share a backend hosted at a suspicious IP address and contain Russian language code comments, though the threat actor remains unidentified.