CATEGORIES
home News

Security Warning Issued As 100+ Chrome Extensions Get Caught Stealing Data

by Chris HarperWednesday, April 15, 2026, 02:42 PM EDT
hero 108chrome malware extensions
Stop me if you've heard this one before: a large wave of trusted extensions on the Chrome Web Store has been found to nest malware despite performing their core functions as described. If this sounds familiar to you, that's likely because it is: we've seen numerous prior examples of this across FireFox, Chrome, Edge, and more.

The worst part of it is that not all of these extensions actually start out as malicious and are instead purchased for hijacking by bad actors later, though that's not the case here. Rather, a set of 108 extensions from five publishers (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) were malicious from the start, and secured roughly 20,000 combined installs from Chrome Web Store users to date.

content 108chrome malware extensions
A few of the extensions identified by the team at Socket

The discovery and exposé of this malware campaign can be attributed to Socket's Threat Research Team. Socket is best known for its real-time security software for app developers, but like other cybersecurity-focused companies, it doesn't hesitate to disclose campaigns like these when discovered. The teams behind Google Safe Browsing and Chrome Web Store were also notified of this malware campaign ahead of time.

But what is the extent of the attack we're looking at here? In short, it depends on the specific extension you installed, but the range is high. Some 54 of the extensions steal Google account identities via OAuth2, while another 45 "contain a universal backdoor that opens arbitrary URLs on browser start."

The remaining extensions range from ad and script injections all the way to exfiltrating Telegram Web sessions every 15 seconds. That one is particularly worrisome, and corresponds directly to Telegram-related extensions like Telegram multi-account.

Thankfully, the extensions in question have been taken down since Socket exposed the network behind them, which can be attributed to either Ukrainian/Russian cyber criminals or cyber criminals intentionally masquerading as Ukrainian/Russian. The Socket blog page contains a full list of all 108 infected extensions and provides instructions for removing the extensions and mitigating their damages, but hopefully most of you won't need to worry about that.

Image Credit: Socket.dev
Tags:  Chrome, Google, security, extensions, cybersecurity, (nasdaq:goog)
Chris Harper

Chris Harper

Christopher Harper is a tech writer with over a decade of experience writing how-tos and news. Off work, he stays sharp with gym time & stylish action games.
TOP STORIES
KEEP INFORMED

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy Policy

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2026 Hot Hardware Inc, Inc.
All rights reserved. Privacy Policy - Copyright Notice - Terms Of Use