Security researchers at Socket have identified over 100 malicious Chrome extensions actively stealing user data, hijacking session tokens, and performing ad fraud through a coordinated malware-as-a-service campaign.

Key Points

• Researchers discovered 100+ malicious extensions in the Chrome Web Store linked to a Russian malware-as-a-service operation.
• The extensions steal Google OAuth2 Bearer tokens, Telegram session data, and personal account information.
• Attackers use a central backend hosted on Contabo VPS to execute commands and inject unauthorized HTML into browser interfaces.
• Affected software includes various categories such as Telegram clients, browser utilities, translation tools, and online games.
• Users are advised to check their installed extensions against the Socket report and immediately remove any identified malicious software.

Why it Matters

This campaign highlights significant vulnerabilities in the Chrome Web Store's vetting process, potentially exposing millions of users to account takeovers and identity theft. The ability for extensions to silently hijack OAuth2 tokens poses a severe risk to both personal privacy and enterprise security environments.