CYBERSECURITY researchers have uncovered a campaign of 108 Google Chrome extensions that all communicate with a single command-and-control setup to steal data and enable browser abuse. The extensions, published under five publisher identities—Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt—have amassed about 20,000 installs in the Chrome Web Store.
The analysis notes that 54 of the add-ons steal Google account identities via OAuth2, 45 extensions contain a universal backdoor that opens arbitrary URLs when the browser starts, and the rest perform various malicious actions such as exfiltrating Telegram Web sessions every 15 seconds, stripping YouTube and TikTok security headers and injecting ads, injecting content scripts into every page, and proxying translation requests through the attacker’s server.
The 108 extensions share a backend hosted at 144.126.135[.]238, and five extensions use Chrome’s declarativeNetRequest API to strip security headers from target sites before page load. At present, it is not known who is behind the campaign, though Russian-language comments have been found in some of the source code. Users who installed any of the extensions are advised to remove them and log out of Telegram Web sessions. 14 April 2026