108 Chrome Extensions Read Your Telegram Every 15 Seconds — and That's Just One of Three Schemes
# Researchers Uncover Coordinated Campaign Targeting Users Through Browser Extensions Security researchers at Socket have discovered a coordinated campaign involving 108 browser extensions across five different developer accounts that were secretly funneling data to a single server. The malicious extensions were stealing Google OAuth tokens, hijacking Telegram sessions, and injecting malicious content into websites. Analysis of the code suggests the operation is linked to Russian-speaking malware-as-a-service (MaaS) infrastructure.
By Tetiana Suchkova-Ladik
April 15, 2026 · 2 min read
When Socket published a technical breakdown of 108 malicious Chrome extensions, what surprised most was not their existence, but how meticulously the infrastructure behind them was built. These were not isolated "bad" apps — this was a coordinated campaign with a single command server, monetization through resale, and, judging by the code, Russian-speaking authors.
Three different attacks in one package
Socket researcher Kush Pandya discovered that 54 extensions steal Google OAuth2 tokens at the moment of account login and send the user profile to the attacker's server. Another 45 extensions contain a universal backdoor: once the browser launches, they can open any URL without the user's knowledge.
The most acute case is the Telegram Multi-account extension. According to Cybernews citing the Socket report, it read the active Telegram Web session every 15 seconds and sent it to a server controlled by the attacker. This is enough to gain full access to messages and contacts — without a password and without bypassing two-factor authentication.
"All 108 route stolen credentials, user identifiers, and browsing data to servers controlled by a single operator."
— Kush Pandya, Socket researcher
Five "different" developers — one hand
The extensions were published under five separate publisher identifiers: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. Masquerading as different authors is a standard technique that complicates detection of clusters by account reputation. However, as BleepingComputer notes, all traffic went to a single Contabo VPS server with several subdomains for different functions: session collection, command execution, monetization.
Monetization itself is the most alarming element. The infrastructure supports a Malware-as-a-Service (MaaS) model: stolen data and active sessions could be resold to third parties. In the source code, Socket found comments in Russian — specifically in the authentication and session theft logic.
How this passed Google's review
Five extensions used the Chrome API declarativeNetRequest to remove security headers (Content Security Policy, X-Frame-Options, CORS) before the page loaded. This allowed them to inject advertising overlays and gambling banners even on YouTube and TikTok. Most extensions actually performed their stated function — games, translator, Telegram client — which made them difficult to distinguish from legitimate ones.
Overall, the extensions were installed approximately 20,000 times. The Telegram Multi-account extension contained malicious code at least from February 15, 2025 — more than a year before detection.
- Check the list of all 108 extensions in the Socket report and delete them immediately
- After deletion — force logout from Google and Telegram accounts in all sessions
- In Telegram: Settings → Devices → terminate all active sessions
- In Google: myaccount.google.com → Security → Your devices
The real question is not whether Google will delete these 108 extensions — it will. The question is whether Chrome Web Store review process will change enough so that the next campaign with a single C2 server across five accounts doesn't go undetected for a year. If not — the next list will be longer.
