Overview
- Socket researchers disclosed Tuesday a coordinated set of 108 Chrome extensions linked to a single command-and-control server with roughly 20,000 installs.
- Fifty-four extensions harvest Google identity data via OAuth2, capturing email, name, profile photo, and a stable account ID that can track a person across future logins.
- One Telegram-focused add-on steals web session tokens every 15 seconds and can overwrite local storage to swap a victim’s active session for the attacker’s.
- Forty-five extensions include a startup backdoor that opens attacker-chosen URLs, while others strip YouTube and TikTok security headers to inject ads and scripts.
- The extensions were posted under five developer names but share a Contabo-hosted backend and Russian-language code clues, many remained live after takedown requests, and users are urged to remove any listed add-ons and log out of Telegram Web.