100+ Chrome Extensions Targeting User Accounts & Data in Web Store

Article At A Glance

Over 108 malicious Chrome extensions were discovered in the Chrome Web Store, collectively impacting around 20,000 users by stealing Google account credentials, Telegram session data, and more.
All 108 extensions traced back to a single command-and-control infrastructure, leading researchers to suspect a coordinated Malware-as-a-Service operation.
Four publisher names were identified as key threat actors: Yana Project, GameGen, SideGames, and Rodeo Games — if you have any extensions from these publishers, remove them immediately.
The extensions used multiple attack methods including OAuth2 identity theft, session hijacking, arbitrary URL injection, and security header stripping on YouTube and TikTok.
Keep reading to understand exactly how each type of extension worked and what steps you need to take right now to protect your accounts.

Most people install Chrome extensions without a second thought — and that blind trust just put 20,000 users at serious risk.

A security investigation published on April 13, 2026 revealed 108 dangerous Chrome extensions operating quietly inside the Chrome Web Store. These weren’t obscure, broken tools that obviously looked suspicious. They appeared fully functional, offered real features, and passed through the store without triggering immediate removal. Underneath that legitimate surface, they were running a coordinated data theft operation targeting Gmail, YouTube, TikTok, and Telegram users. SQ Magazine, which covers cybersecurity threats and digital privacy, was among the first outlets to report the full scope of this campaign.

What makes this campaign especially alarming is the scale and coordination behind it. Every single one of the 108 extensions connected back to one shared command-and-control server, meaning this wasn’t a scattered group of independent bad actors. Someone built this infrastructure deliberately, and it shows.

108 Malicious Chrome Extensions Were Just Caught Stealing Your Data

The 108 extensions discovered weren’t random. Each one had a defined role in collecting sensitive user information, and together they formed a layered attack system capable of stealing credentials, hijacking active sessions, and manipulating browser behavior in real time. In some cases, these extensions were used to harvest corporate logins through sophisticated spoofing techniques.

Which Platforms Were Targeted

The campaign didn’t focus on a single platform. It cast a wide net across the most widely used services in the world, targeting users across four major platforms:

Gmail — Google account identity and OAuth2 tokens were primary targets
YouTube — Security response headers were stripped to enable ad injection and session exposure
Telegram — Active session authentication data was exfiltrated through the Telegram Web interface
TikTok — Security headers were removed in the same method used against YouTube

Targeting these platforms specifically makes sense from an attacker’s perspective. Google accounts give access to an enormous amount of personal data. Telegram sessions can be used for identity takeovers. YouTube and TikTok accounts with large followings represent high-value targets for account hijacking and monetization fraud.

How Many Users Were Affected

At the time the report was published, the 108 extensions had accumulated approximately 20,000 known installs across the Chrome Web Store. That figure represents confirmed installs and likely undercounts real-world exposure, since many users don’t audit their extensions regularly and may not have known they were running one of these tools. For instance, similar issues were highlighted during the AstraZeneca data breach where many users were unaware of the security vulnerabilities.

How These Extensions Slipped Past Google’s Review

Google uses both automated scanning and manual review processes to evaluate Chrome Web Store submissions. Despite these systems, 108 malicious extensions made it through and remained live long enough to reach thousands of users. The reason comes down to how these extensions were designed to behave.

Rather than triggering obvious red flags at install time, many of these extensions were built to appear as standard, useful tools. They delivered on their stated functionality — which meant users had no reason to question them — while quietly running malicious routines in the background. This dual-purpose design is one of the hardest threat types for automated review systems to catch reliably, similar to the tactics used in the credit card stealer hidden with pixel-large SVG trick by hackers.

How Dual-Purpose Malicious Extensions Evade Detection

Legitimate behavior at install and during initial use keeps the extension appearing clean during review windows. Malicious payloads activate only after certain triggers, such as visiting a specific site or after a delay period. Communication with command-and-control servers can be disguised as routine API calls. Permissions requested often overlap with what a legitimate version of the same tool would genuinely need.

They Posed as Legitimate Tools

Several of the 108 extensions mimicked real, in-demand browser tools. The Telegram Multi Account extension is a clear example — it appeared to offer a genuine productivity feature for users managing multiple Telegram accounts. It worked. It just also silently monitored Telegram Web sessions and extracted authentication tokens in the background. That combination of real utility and hidden malice is what kept these extensions trusted and installed.

The Publisher Names Behind the Attack

Researchers identified four publisher names associated with the malicious extensions. If you recognize any of these in your Chrome extension list, treat them as compromised and remove them immediately:

Yana Project
GameGen
SideGames
Rodeo Games

All four publisher accounts connected back to the same underlying infrastructure. The use of multiple publisher identities is a deliberate tactic to distribute the extensions across different store categories and reduce the likelihood that a single takedown would disrupt the entire campaign. This approach is similar to how spoofed VPN sites are used to harvest corporate login credentials.

What Each Type of Malicious Extension Actually Did

Not all 108 extensions performed the same function. The campaign was structured across several distinct attack types, each targeting a different layer of user data or browser behavior. Understanding what each type actually did helps clarify exactly how serious this exposure is.

54 Extensions Stole Google Account Identity via OAuth2

OAuth2 is the authentication protocol that allows third-party apps and extensions to access your Google account on your behalf without requiring your password directly. When you click “Sign in with Google,” you’re using OAuth2. The 54 extensions in this category abused that protocol to silently obtain authorization tokens tied to your Google identity.

Once an attacker has a valid OAuth2 token, they don’t need your password. The token acts as a key that grants access to your account data, potentially including Gmail messages, Google Drive files, and account profile information. Tokens can also be used to authenticate into connected third-party services that rely on your Google login, extending the damage well beyond Google’s own ecosystem.

45 Extensions Launched Arbitrary URLs on Browser Start

Every time you opened Chrome, 45 of these extensions were quietly redirecting your browser to attacker-controlled URLs in the background. This technique, known as arbitrary URL injection on browser start, gives threat actors a reliable trigger point — your browser launch — to execute malicious actions without requiring any additional interaction from you. The destinations could serve as phishing pages, credential harvesting sites, or silent tracking endpoints.

What makes this particularly dangerous is the timing. Most users aren’t paying close attention to what loads in the background when Chrome first opens. A tab that flashes briefly or loads silently in a background process can complete its malicious task and close before most people even notice it was there.

1 Extension Exfiltrated Telegram Sessions Every 15 Seconds

The Telegram Multi Account extension was among the most aggressive in the entire dataset. Rather than performing a one-time data grab, it operated on a continuous polling cycle — extracting authentication data from active Telegram Web sessions every 15 seconds. That means for every minute you had Telegram Web open with this extension installed, your session data was transmitted to attacker-controlled servers four times.

Telegram session tokens don’t require your password to work. Once an attacker holds a valid session token, they can authenticate as you on Telegram Web from a completely different device, read your messages, access your contacts, and impersonate you in conversations — all without triggering a login alert.

Extensions That Stripped Security Headers on YouTube and TikTok

Two extensions in the campaign specifically targeted YouTube and TikTok by removing security response headers from those platforms. Security headers like Content-Security-Policy (CSP) and X-Frame-Options are server-side instructions that tell your browser what content is allowed to load and from where. Strip those headers, and the browser loses its ability to block unauthorized scripts, injected ads, or cross-site content that would otherwise be rejected.

On YouTube specifically, the extensions went a step further — after stripping the security headers, they injected unauthorized advertisements into the page. This served two purposes for the attackers: generating revenue through ad fraud and potentially exposing users to malvertising through ads that linked to malicious destinations.

1 Extension Routed All Translation Requests Through Attacker Servers

One extension posed as a translation tool, which on the surface is a completely reasonable browser utility. The problem was that every piece of text you submitted for translation wasn’t going to a legitimate translation API. It was being routed through servers controlled by the threat actors behind this campaign.

Think about what people translate in a browser: emails, private messages, business documents, financial statements, medical information. Any text a user highlighted and translated while this extension was active was potentially captured and logged on attacker infrastructure. The extension could have operated this way for months without a single user suspecting anything, because the translations themselves likely worked perfectly fine.

The Single Command-and-Control Server Behind All 108 Extensions

Every one of the 108 extensions in this campaign communicated back to a single shared command-and-control (C2) infrastructure. That single point of coordination is the most significant finding in the entire investigation. It rules out the possibility that these were independent, unrelated bad actors who happened to publish similar tools at the same time. This was one organized operation, run centrally, with different extensions serving as specialized components of a larger system.

What a Command-and-Control Infrastructure Means for Users

A command-and-control server is the backbone of any coordinated malware campaign. It’s the remote system that issues instructions to infected endpoints — in this case, browsers running the malicious extensions — and receives the stolen data those endpoints collect. The C2 server is what allows attackers to update extension behavior, redirect data collection targets, or activate new attack routines without ever pushing an update through the Chrome Web Store.

For users, this means the threat wasn’t static. An extension that appeared relatively harmless on day one could have received new instructions from the C2 server on day thirty, expanding what it collected or how it behaved. You wouldn’t see a version update. You wouldn’t receive a notification. The behavior change would happen silently, server-side.

What Data Was Being Sent to the C2 Server

Extension Type Data Transmitted to C2 Frequency

OAuth2 Identity Theft (54 extensions) Google account authorization tokens On account interaction

Arbitrary URL Injection (45 extensions) Browser activity confirmation, tracking data On every browser launch

Telegram Session Exfiltration (1 extension) Active Telegram Web session tokens Every 15 seconds

Security Header Stripping (2 extensions) Exposed session data, ad fraud revenue On YouTube/TikTok page load

Translation Interception (1 extension) All user-submitted text for translation On every translation request

Extension Type	Data Transmitted to C2	Frequency
OAuth2 Identity Theft (54 extensions)	Google account authorization tokens	On account interaction
Arbitrary URL Injection (45 extensions)	Browser activity confirmation, tracking data	On every browser launch
Telegram Session Exfiltration (1 extension)	Active Telegram Web session tokens	Every 15 seconds
Security Header Stripping (2 extensions)	Exposed session data, ad fraud revenue	On YouTube/TikTok page load
Translation Interception (1 extension)	All user-submitted text for translation	On every translation request

The diversity of data types being funneled to one server tells you something important about the campaign’s intent. This wasn’t a smash-and-grab operation targeting one specific credential. It was a broad collection effort designed to build comprehensive profiles on victims or to package stolen data for resale. Different data types have different values on criminal marketplaces, and having all of it flowing into one infrastructure makes sorting and monetizing that data significantly easier for the operators.

It also means that if law enforcement or a security firm were to seize or disrupt that C2 server, the entire operation collapses at once. That’s a double-edged reality — centralized infrastructure is efficient for attackers but creates a single point of failure that, once identified, can bring down the whole network.

Why Researchers Suspect a Malware-as-a-Service Operation

The structure of this campaign — multiple publisher identities, diverse extension types, centralized infrastructure, and a broad targeting strategy — fits the profile of a Malware-as-a-Service (MaaS) operation. In a MaaS model, the threat actors who built and operate the infrastructure rent access to it, or sell the stolen data it produces, to other criminal buyers. The four publisher accounts (Yana Project, GameGen, SideGames, and Rodeo Games) may represent different clients or operational arms within the same service rather than a single unified team. This model has become increasingly common in cybercrime ecosystems because it lowers the technical barrier for launching sophisticated attacks.

Remove These Extensions From Your Browser Right Now

If you’ve had any extensions from the publishers Yana Project, GameGen, SideGames, or Rodeo Games installed at any point, assume your data has been compromised and act accordingly. Don’t wait for Google to push a removal update — take control of your browser right now.

Even if you don’t recognize those publisher names, this incident is a strong signal to audit every extension currently installed in your Chrome browser. Most users accumulate extensions over time and forget about tools they installed months or years ago. Each one represents a potential attack surface, and not every malicious extension gets caught as quickly as these 108 did.

The reality is that extension permissions are powerful. A single extension with broad permissions — access to all sites, ability to read page content, permission to modify requests — has the technical capability to do everything these 108 extensions were doing. The permission system is designed to be transparent, but most users click through permission prompts without reading them. For instance, the Storm-2561 spoofed VPN sites incident highlights how easily credentials can be compromised.

How to Find and Delete Suspicious Chrome Extensions

Removing extensions from Chrome takes less than two minutes. Open Chrome and type chrome://extensions directly into the address bar and hit enter. This opens your full extension management page, where every installed extension is listed with its name, publisher, and current permissions. Go through the list carefully — if you see anything from Yana Project, GameGen, SideGames, or Rodeo Games, click Remove immediately. Be aware that malicious extensions can sometimes be used in sophisticated cyberattacks.

While you’re on that page, apply a broader filter. For every extension listed, ask yourself three questions: Do I remember installing this? Do I actively use it? Do its requested permissions make sense for what it claims to do? If the answer to any of those is no, remove it. A translation extension that requests access to read all your browsing data and modify network requests should raise immediate red flags — that’s far more access than a translation tool needs to function.

What to Do If You Had One of These Extensions Installed

If any of the four flagged publishers appeared in your extension list, your first move after removal is an immediate password change on your Google account. Go to your Google Account security settings and revoke all third-party app access by navigating to myaccount.google.com/permissions. You’ll see a full list of apps and extensions that have been granted OAuth2 access to your account. Revoke everything you don’t recognize — and then revoke anything you do recognize but no longer actively use. This cuts off any OAuth2 tokens the extensions may have already captured.

Next, check your Google account’s active sessions. Under myaccount.google.com/device-activity, you can see every device and location currently signed into your account. If anything looks unfamiliar — an unrecognized device, a location you’ve never been to, a sign-in timestamp that doesn’t match your activity — click Sign out of all devices immediately and change your password again. Enable two-factor authentication if you haven’t already, and use an authenticator app rather than SMS where possible, since SMS-based 2FA is significantly easier to intercept.

How to Secure Your Telegram Account After Exposure

If you used Telegram Web with the Telegram Multi Account extension installed, treat your Telegram session as compromised. Open Telegram on your phone, go to Settings > Privacy and Security > Active Sessions, and terminate every session that isn’t your current device. Telegram session tokens captured by the extension remain valid until they’re explicitly revoked — closing your browser tab doesn’t invalidate them. Terminating all active sessions forces any attacker holding a stolen token to lose access immediately. While you’re in the security settings, enable Two-Step Verification on your Telegram account to add a password layer that session tokens alone cannot bypass. For more information on similar security threats, you can read about the Storm-2561 spoofed VPN sites that harvest corporate logins and credentials.

Google Has Been Notified, But the Extensions Were Still Live at Time of Report

When the security investigation was published on April 13, 2026, Google had been notified about the 108 malicious extensions. However, at the time of publication, the extensions were still available and active in the Chrome Web Store. This gap between discovery, notification, and actual removal is not unusual — Google’s review and takedown process takes time, and during that window, users remain exposed. This is precisely why waiting for Google to act on your behalf is not a viable security strategy. The responsibility for auditing what runs inside your browser sits with you, and the tools to do it are already built into Chrome.

Frequently Asked Questions

These are the most common questions people have after hearing about a Chrome extension threat campaign — answered directly and without the jargon.

How Do I Know If a Chrome Extension Is Safe to Install?

No extension comes with a guaranteed safety certificate, but several signals can help you make a much better-informed decision before clicking install. Here’s what to check before adding any extension to Chrome:

Publisher reputation — Search the developer’s name independently. Legitimate publishers have a track record, a website, and a history of updates.
Permission scope — Read every permission the extension requests. If a calculator extension asks to read all your browsing data, that’s a red flag.
Review quality — Look at the reviews critically. A flood of vague five-star reviews posted within a short window is a known indicator of artificial review manipulation.
Install count vs. age ratio — A brand new extension with thousands of installs and almost no review history deserves extra scrutiny.
Last updated date — Extensions that haven’t been updated in years may be abandoned, making them easier targets for acquisition and weaponization by malicious actors.
Source code transparency — Some legitimate extensions link to open-source repositories. This isn’t a requirement, but its presence is a positive signal.

One tactic that has become increasingly common is the extension acquisition attack — where a bad actor purchases a previously legitimate, well-reviewed extension from its original developer and then pushes a malicious update to the existing user base. This means an extension that was perfectly safe six months ago may not be safe today, which is why periodic audits of your extension list matter even for tools you’ve trusted for a long time.

The single most protective habit you can build is installing the minimum number of extensions necessary. Every extension you don’t install is an attack surface that doesn’t exist in your browser. Keep your list short, keep it reviewed, and remove anything you haven’t used in the last 30 days. For more information on potential threats, read about how hackers use innovative tricks to compromise security.

Can Google Automatically Remove Malicious Extensions From My Browser?

Yes — Google has the technical capability to remotely disable or remove extensions from users’ Chrome browsers through a mechanism called Enhanced Safe Browsing and through direct store-level revocation. When Google removes an extension from the Chrome Web Store, it can also push that removal to browsers where the extension is currently installed, rendering it inactive. In some cases, Chrome will display a notification that an extension has been disabled because it was found to violate policy.

However, this process is not instantaneous, and it is not foolproof. The window between when a malicious extension is first identified and when Google completes its review and pushes a removal can span days. During that period, the extension continues operating with full permissions inside affected browsers. The 108 extensions in this campaign were still live at the time the public report dropped, meaning every hour of that delay represented continued data exposure for the 20,000 affected users. Don’t rely on Google’s safety net as your first line of defense — manual auditing is faster and more reliable.

What Is OAuth2 and Why Is It Dangerous When Exploited?

OAuth2 is an authorization framework that allows applications and browser extensions to access your accounts on third-party services without needing your actual password. When you grant a Chrome extension access to your Google account, OAuth2 generates an access token — a credential that acts as a temporary key to your account data. The extension presents that token to Google’s servers to prove it has your permission to access certain information.

The danger is that once an attacker captures that token, they hold a valid key to your account — no password required. Tokens can grant access to Gmail content, Google Drive files, calendar data, and any other Google service the extension was authorized to reach. Depending on the token’s scope and expiration settings, that access can persist for an extended period without triggering login alerts, because from Google’s perspective, the token is legitimate.

OAuth2 Attack Flow — How Token Theft Works

Stage What Happens User Awareness

1. Extension Install User installs extension and grants Google account permissions User sees permission prompt but typically approves

2. Token Generation OAuth2 generates an access token tied to the user’s Google account Invisible to user

3. Token Capture Malicious extension intercepts and transmits the token to C2 server No visible indication

4. Attacker Access Attacker uses token to authenticate into Google services as the victim No login notification triggered

5. Data Exfiltration Account contents accessed, downloaded, or monitored remotely User unaware unless they audit active sessions

Stage	What Happens	User Awareness
1. Extension Install	User installs extension and grants Google account permissions	User sees permission prompt but typically approves
2. Token Generation	OAuth2 generates an access token tied to the user’s Google account	Invisible to user
3. Token Capture	Malicious extension intercepts and transmits the token to C2 server	No visible indication
4. Attacker Access	Attacker uses token to authenticate into Google services as the victim	No login notification triggered
5. Data Exfiltration	Account contents accessed, downloaded, or monitored remotely	User unaware unless they audit active sessions

The best defense against OAuth2 token theft is regular permission audits. Visit myaccount.google.com/permissions and review every application and extension that currently holds access to your Google account. Revoke anything you don’t recognize and anything you no longer actively use. Active tokens don’t expire just because you uninstall an extension — you have to revoke them manually through your account settings. It’s crucial to stay informed about potential threats, such as the Storm-2561 campaign that targeted corporate logins.

Enabling Google’s Advanced Protection Program adds a significantly stronger layer of verification to your account, requiring physical security keys for authentication and blocking most OAuth2-based access from unverified apps entirely. For users who handle sensitive professional or personal data through Google’s ecosystem, it’s worth considering seriously.

What Is Session Hijacking and How Does It Affect My Accounts?

Session hijacking is the theft of an active authentication session token — the credential your browser holds after you’ve logged into a service, which proves to the server that you’re already authenticated. When the Telegram Multi Account extension exfiltrated session data every 15 seconds, it was performing exactly this attack. An attacker who obtains your active session token can authenticate as you on that platform from a completely different device, without knowing your password or triggering a new login event. The session already exists. They’re simply reusing it. On Telegram, this means full access to your message history, contacts, and identity. On Google, it means access to every service tied to your account. Revoking active sessions through each platform’s security settings is the only way to invalidate stolen tokens that have already been captured.

Are Other Browsers Like Firefox or Edge at Risk From Similar Attacks?

Yes. The attack methodology used in this campaign — building seemingly legitimate extensions that carry hidden malicious functionality — is not exclusive to Chrome. Firefox’s extension ecosystem through Mozilla Add-ons, Microsoft Edge’s extension store, and any Chromium-based browser that supports the Chrome Web Store are all potential vectors for the same class of attack. The underlying vulnerability isn’t a Chrome-specific flaw. It’s the trusted relationship between users and browser extensions as a category.

Firefox has historically maintained a stricter extension review process than Chrome, with more manual review involvement for new submissions. However, no review process is immune to well-designed dual-purpose extensions that behave legitimately during evaluation and activate malicious behavior only after passing review. Microsoft Edge, being Chromium-based, can run Chrome extensions directly, which means any malicious extension in the Chrome Web Store is also a potential threat to Edge users who have enabled Chrome extension support.

Regardless of which browser you use, the protective habits are the same: minimize your extension count, review permissions critically before installing, audit your installed extensions regularly, and monitor your active account sessions across all major platforms. The extensions in this campaign targeted the accounts, not the browsers — and your accounts exist across every browser you use.