Attention! These Chrome extensions may steal your Telegram, Google data
15 Apr 2026
Cybersecurity experts have uncovered a massive attack involving 108 malicious Google Chrome extensions.
The nefarious tools are said to be stealing user data, hijacking Telegram sessions, and injecting malicious code into web pages.
The coordinated campaign was first reported by Hacker News and has been installed around 20,000 times from the official Chrome Web Store.
Attackers used 5 different publisher names
Deceptive tactics
The malicious extensions work under five different publisher names but share a single command-and-control (C2) infrastructure, cybersecurity firm Socket reported.
They disguise themselves as legitimate tools such as Telegram sidebar clients, text translators, and slot machine games.
However, they run malicious scripts in the background and route the stolen credentials, user identities, and browsing data to servers controlled by the same operator.
What did the hackers do?
Data theft
Among the malicious extensions, 54 targeted Google account identities and stole information such as email addresses and profile pictures via OAuth2 as soon as a user tries to log in.
Meanwhile, 45 extensions came with a universal backdoor that made the browser open random URLs controlled by the attacker's server on startup.
The most dangerous extension of this campaign is 'Telegram Multi-account,' which targeted Telegram users.
Attackers could take over Telegram accounts without password
Security breach
The 'Telegram Multi-account' extension stealthily stole active Telegram Web authentication tokens and sent the data to a remote server every 15 seconds.
This allowed attackers to take complete control of an account without needing a password or two-factor authentication code.
Five extensions even used Chrome's declarativeNetRequest API to remove the security headers from target sites before the page loads, Socket said in its blog post.
How to check if your account is compromised
User protection
If you think you have been affected by this attack, security experts recommend the following immediate steps.
First, check your browser and remove any of the 108 malicious extensions.
If you used the compromised Telegram extensions, log out of all active Telegram Web sessions via the 'Devices' menu in the Telegram mobile app.
Lastly, if you signed into any of these extensions using Google, treat your Google identity as exposed, and revoke any unfamiliar third-party access in your account settings.
-
Bride Disappears After Marriage in Rajasthan, Groom Files Police Complaint
-
Sue Bird and Megan Rapinoe Announce Separation After a Decade Together
-
Tragic Honor Killing: Young Girl Murdered by Family Over Education
-
Giant Huntsman Spider Surprises Woman in Perth Bathroom
-
Why Diabetics Should Be Cautious with Lentils: The Risks of Masoor Dal
