108 Malicious Chrome Extensions Steal User Data

108 Malicious Chrome Extensions Caught Stealing Google and Telegram Credentials

Security researchers have confirmed 108 malicious Chrome extensions actively stealing authentication data from Google and Telegram accounts, impacting at least 20,000 users. These extensions bypassed Chrome Web Store review processes and embedded credential-harvesting code inside what appeared to be legitimate productivity and utility tools. For developers and teams running web applications, this is a direct threat to account security, session integrity, and internal tooling access.

The malicious Chrome extensions operated silently, with no visible signs of compromise during normal browsing sessions.

How the Extensions Harvested Credentials

Each extension used a layered approach to data theft. On installation, they requested broad permissions including access to all URLs, storage, and background script execution. Once granted, they injected content scripts into Google login pages and Telegram Web sessions, intercepting form submissions and copying session tokens before they were processed by the legitimate application.

The stolen data was exfiltrated to attacker-controlled endpoints using obfuscated fetch requests, often disguised as analytics pings. Some variants also read from local browser storage to extract saved passwords and OAuth tokens. Because the exfiltration blended into normal HTTPS traffic patterns, network-level monitoring tools rarely flagged it.

Several extensions used delayed activation, staying dormant for days after install before beginning harvesting activity. This made behavioral detection significantly harder.

What Developers Are Actually at Risk Of

If any developer on your team had one of these extensions installed, the blast radius extends well beyond personal accounts. Google accounts tied to GCP, Firebase, Google Workspace, and CI/CD pipelines become exposed. Telegram credentials matter because many engineering teams use Telegram bots for deployment notifications, alerting, and internal automation.

Stolen session tokens can bypass multi-factor authentication entirely. An attacker with a valid session cookie does not need a password or a one-time code. They simply replay the token and land inside your account with full access.

Shared developer machines make this worse. A single compromised extension on a shared workstation can harvest credentials across every team member who logs in.

How to Detect and Remove Malicious Chrome Extensions

Start by auditing every Chrome extension installed across your team's machines. Cross-reference installed extension IDs against the published list of 108 flagged extensions. Google has removed most of them from the Web Store, but extensions already installed are not automatically uninstalled from user browsers.

Practical steps to take right now:

• Run chrome://extensions and review every installed extension for unfamiliar names or excessive permissions.
• Revoke and rotate any Google OAuth tokens or API keys associated with accounts accessed on potentially compromised machines.
• Check active Telegram sessions via Settings, then Devices, and terminate any unrecognized sessions immediately.
• Enforce a browser extension allowlist using your endpoint management platform. Only pre-approved extensions should be installable on work machines.
• Add extension installation monitoring to your security logging pipeline if it is not already there.

For web application developers, run a scan of your application to verify no attacker-controlled endpoints are referenced in your client-side code as a result of supply chain interference.

Google's review process for Chrome extensions has faced repeated criticism. Browser extension supply chain attacks are not slowing down, and developer environments remain high-value targets. See our guide on browser-based attack vectors for a deeper breakdown of how these threats interact with web application security.

How do I know if I had one of the 108 malicious extensions installed? Check your Chrome extension history against the published list of flagged extension IDs. Google has pulled them from the Web Store, but check chrome://extensions manually since removal from the store does not uninstall local copies.

Can rotating my password fix the damage after a stolen session token? No. Session tokens are independent of passwords. You need to explicitly revoke active sessions in Google's security settings and in Telegram's active devices list. Then rotate any API keys or OAuth credentials associated with those accounts.

Should I block all Chrome extensions on developer machines? Blocking all extensions is not practical, but enforcing an allowlist through MDM or Google Workspace admin controls is. Only extensions vetted and approved by your security team should be permitted on machines with access to production credentials.

Scan your web application for signs of supply chain compromise or injected malicious endpoints at VibeWShield.