Think about the last extension you installed. Did you read what permissions it asked for? Probably not. Most people don’t. And that’s exactly the gap a group of attackers exploited to quietly drain data from tens of thousands of Chrome users without anyone noticing for weeks.
Researchers at Socket published findings this week that honestly deserve more attention than they’re getting.
108 Extensions, One Hidden Agenda
The number alone is striking. Not one or two rogue add-ons. Not a small cluster. 108 Chrome extensions, all tied to the same backend server, all siphoning user data while pretending to be something completely harmless.
Some showed up as Telegram sidebar tools. Others looked like YouTube enhancers, TikTok utilities, translation add-ons, or basic casino games. The variety wasn’t accidental. Spreading across different categories meant a wider net and less obvious clustering for anyone trying to spot a pattern.
Before they were identified and pulled, these extensions had racked up roughly 20,000 installs through the Chrome Web Store.
What Was Actually Happening Behind the Scenes
This is where things get genuinely troubling.
Fifty-four of the extensions were set up to grab Google account data through OAuth2. Every time a user clicked a sign-in button, the extension captured their email, full name, profile photo, and Google account ID. Quietly. No error, no popup, no indication anything was wrong.
Forty-five others carried a backdoor that could force-open any URL the moment a browser started. No clicks needed. The attacker decides where your browser goes.
Some of the Telegram-focused extensions were exfiltrating session data on a 15-second loop. Every quarter minute, your session information was being sent to a remote server. A couple of them could go further than that and actually overwrite your active Telegram session with one the attacker controls.
That last part is worth sitting with. They weren’t just watching. They could step inside your account entirely.
A few others stripped YouTube and TikTok of their own security headers and pushed gambling overlays and ads into those pages. Others quietly proxied every translation request through attacker-owned servers, meaning anything a user translated was being read by someone else first.
Five Publisher Names, Zero Real Accountability
To avoid triggering any automated detection, the extensions were spread across five different publisher accounts: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt.
Separate names, separate categories, separate storefronts. But researchers traced all 108 back to a single command-and-control server. One IP. One operation.
Source code analysis across several of the extensions turned up comments written in Russian, though the individuals running this haven’t been publicly identified yet.
The Telegram Problem Is Bigger Than It Looks
When people think about account security, they usually think about passwords. Change your password, enable two-factor authentication, done. Session hijacking bypasses all of that completely.
When an attacker steals a valid Telegram Web session token, they don’t need your password. They don’t trigger any login alert. They’re already inside an authenticated session. Two-factor doesn’t fire because nobody’s technically logging in fresh.
For anyone using Telegram to coordinate business, share sensitive files, or have private conversations, this is a real exposure. The theft was happening in the background, continuously, and silently.
Why Businesses Should Care Specifically
Chrome is everywhere in US workplaces. Most IT teams aren’t auditing which browser extensions individual employees have installed, and most employees don’t think twice before adding a productivity tool or a browser game on their work laptop.
An extension running on a work machine has access to whatever that browser touches. Internal dashboards, email, cloud storage, work accounts. The permissions Chrome’s extension model grants are quite broad, and the trust users place in the Web Store makes most people comfortable clicking install without much scrutiny.
For small businesses and startups without dedicated security staff, this kind of attack is essentially invisible until it’s too late.
This Is a Repeating Problem With No Clean Fix
It would be easier to write this off as a one-time event, but it isn’t. Malicious Chrome extension campaigns show up regularly. Fake ChatGPT extensions in 2023. Crypto wallet-targeting add-ons in 2020. A supply chain attack at the end of 2024 that pushed poisoned updates through a legitimate extension account and touched an estimated 2.6 million users.
The same playbook keeps working because the Chrome Web Store processes enormous volume and catching coordinated campaigns that deliberately fragment across multiple publisher accounts is genuinely difficult before installs accumulate.
Steps to Take Right Now
Open Chrome, click the puzzle piece icon, and look through what’s installed. Specifically check for anything linked to Yana Project, GameGen, SideGames, Rodeo Games, or InterAlt. Remove whatever you find.
If you had a Telegram-related extension installed at any point recently, log out of all Telegram Web sessions immediately. Do it from the Telegram mobile app: Settings, then Devices, then end all active sessions. This kills any stolen session tokens before they can be used further.
On the Google side, go to your account’s Security section and check third-party app access. Anything that looks unfamiliar should be revoked.
Longer term, apply the same instinct to browser extensions that you’d apply to a random app asking for permission to read everything on your phone. A Keno game has no business accessing your data on every website you visit. That mismatch is always worth questioning before clicking install.
Final Thought
Twenty thousand users is already a significant number. The realistic figure could be higher depending on how long certain extensions were active before the campaign was flagged.
These attacks work because they don’t announce themselves. The extension does its job. The reviews look fine. And somewhere in the background, data leaves your machine on a schedule the attacker set.
The Chrome Web Store is a marketplace, not a guarantee. Every add-on you install is code with real access to your browsing life. Treating that with a bit more skepticism costs nothing. Finding out the hard way costs considerably more.
