Malicious Chrome extensions found
Researchers and reporters found more than 100 malicious Chrome Web Store extensions that steal credentials, browsing data and tokens. The write-ups say many of those extensions remained live in the store at publication, highlighting browser-resident token theft as a direct path to identity compromise. That pattern stresses the need to correlate extension-install telemetry with unusual SaaS admin or cloud console activity (windowsreport.com).
A browser extension is a small add-on that runs inside Chrome, with permission to read pages, change them, and sometimes act as the user. Socket said on April 13 that it found 108 Chrome Web Store extensions tied to one operator that stole identities, sessions, and browsing data. (socket.dev) Those 108 extensions were published under five developer names — Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt — and had about 20,000 installs combined, according to Socket. BleepingComputer reported on April 14 that Google had been notified, but the extensions were still live when Socket published. (socket.dev) (bleepingcomputer.com) The add-ons looked ordinary on the surface: Telegram sidebars, slot and Keno games, YouTube and TikTok helpers, a translation tool, and page utilities. Socket said the code behind them all pointed back to the same command-and-control server at cloudapi[.]stream. (socket.dev) An access token is a temporary digital pass that lets software act as a logged-in user without asking for the password again. Socket said 54 of the extensions used Chrome’s identity feature to grab Google account details and OAuth2 bearer tokens, which can let attackers call Google services as the victim. (socket.dev) (bleepingcomputer.com) A session is the browser’s saved proof that a site already authenticated you, like a coat-check ticket after you hand over your credentials. Socket said one extension, Telegram Multi-account, copied Telegram Web session data from local storage every 15 seconds and sent it to the attacker’s server. (socket.dev) Socket said that same Telegram extension could also write attacker-supplied session data back into the victim’s browser and reload the page. SecurityWeek said that let the operator switch the browser into a different Telegram account without the user’s knowledge. (socket.dev) (securityweek.com) The campaign was not limited to account theft. Socket said 45 extensions carried a backdoor that opened arbitrary web addresses when Chrome started, while other add-ons stripped security headers on YouTube and TikTok pages, injected ads, or routed translation requests through an attacker-controlled server. (socket.dev) Chrome’s own rules ban malware, spyware, phishing, and other software that harms users or third parties. Google’s developer documentation also says extensions are reviewed against Chrome Web Store program policies, including privacy disclosures and restrictions on remotely hosted code. (developer.chrome.com 1) (developer.chrome.com 2) (developer.chrome.com 3) Google has also been pushing users to check extensions more closely. In a June 2024 security blog post, Google said Chrome Safety Check flags extensions suspected of malware, extensions removed from the store, and extensions that do not disclose what data they collect. (security.googleblog.com) This case turned the browser itself into the collection point: the malicious code sat where logins, tokens, page content, and cloud admin sessions already live. The immediate question now is how quickly Google removes the listed add-ons and whether affected users rotate sessions and review account activity before those tokens expire. (socket.dev) (bleepingcomputer.com)
