Over 100 Chrome extensions found harvesting private session data

A hidden network of more than 100 malicious browser extensions has been discovered within the Chrome Web Store, raising significant concerns regarding the security of everyday internet browsing.

Cybersecurity firm Socket identified 108 predatory tools disguised as legitimate gaming enhancers, translation services, and social media utilities.

While these extensions appeared to function as advertised, researchers found they were secretly designed to harvest confidential user information, including email addresses, profile details, and Google account identifiers.

The most critical threat involved the interception of authentication tokens, which allows attackers to bypass traditional passwords and access private accounts.

Specifically, some extensions were found targeting Telegram Web users by extracting session data every 15 seconds, granting hackers near-continuous access to private conversations.

Furthermore, the infected tools contained 45 backdoor functions that enabled remote operators to manipulate browser protection features, inject dangerous software into websites, and execute remote commands to control the host system.

Investigators have traced the operation to a single command-and-control infrastructure, noting that the extensions were published under a variety of different developer profiles to avoid detection.

Although no specific group has been officially confirmed, code patterns suggest the campaign is a Russian-based "malware-as-a-service" operation.

Despite formal takedown requests, many of the flagged extensions remained operational in the marketplace at the time of the report.

With over 20,000 estimated installations worldwide, experts are urging users to immediately audit their installed tools, remove any suspicious or unknown extensions, and strictly limit the permissions granted to third-party applications.