Cybersecurity researchers have uncovered a troubling campaign involving 108 Google Chrome extensions designed to collect user data and abuse browser functionalities. These extensions, which communicate with a shared command-and-control infrastructure, have been found to inject ads and arbitrary JavaScript into web pages. Published under five different identities, including Yana Project and GameGen, the extensions have achieved around 20,000 installs collectively on the Chrome Web Store. Security researcher Kush Pandya highlights that all 108 extensions funnel stolen credentials, user identities, and browsing data to servers controlled by a single operator.

The malicious activities are categorized into several types. Fifty-four extensions are known to steal Google account identities through OAuth2, 45 contain a universal backdoor that triggers the opening of arbitrary URLs, and the rest perform various malicious actions. To appear legitimate, these extensions pose as tools like Telegram sidebar clients, online games, and YouTube enhancers. Despite their varied advertised functionalities, they share a common backend hosted at a specific IP address.

While the individuals behind these policy-violating extensions remain unidentified, the source code analysis reveals Russian language comments, suggesting Russian involvement. Users who have any of these extensions installed are strongly advised to remove them immediately and to log out of all Telegram Web sessions using the Telegram mobile app to protect their data.