More than 100 Chrome extensions have been tied to a sprawling campaign that harvested identity data, opened backdoor-style browser behavior, and in one case pulled live Telegram Web session data. Researchers linked 108 add-ons to the same control network, with about 20,000 installs logged across the Chrome Web Store when the findings were published.
What makes this one hit harder is the range. The extensions showed up as Telegram tools, slot and Keno games, translation utilities, YouTube and TikTok helpers, and basic page tools, which helped the operation blend into the kind of stuff people install without much thought. See the full list here.
Researchers said the extensions were still live when the report went up, and takedown requests had already been filed. That gives this story a very practical edge for Chrome users who haven’t checked their add-ons in a while.
The worst behavior wasn’t all the same
The damage wasn’t limited to one trick. The research found that 54 extensions collected Google account identity details after a user clicked a sign-in button, while one Telegram-focused extension exfiltrated active Telegram Web session data every 15 seconds. Another 45 included a routine that could open arbitrary URLs whenever Chrome started, even if the user never opened the extension that day.
Other add-ons stripped security protections from sites like Telegram, YouTube, and TikTok before injecting overlays, ads, or scripts into pages. One translation tool also routed submitted text through the operator’s server, turning a simple helper into a surveillance risk.
Why this should worry regular Chrome users
The bigger issue is how ordinary the bait looked. These weren’t just obscure tools for power users. The list included games, browser helpers, sidebar clients, and translation add-ons, exactly the kind of extras people grab because the store page looks polished and the feature seems useful.
Extensions also tend to fade into the background once they’re installed. In this case, researchers traced activity from that mixed bag of tools back to the same backend infrastructure, which turned a random-looking pile of add-ons into one operation with several ways to collect data or alter the browsing experience.
Check your extensions now
The smartest next move is to audit what’s installed in Chrome, especially anything tied to Telegram, lightweight games, translation, or sidebar utilities that asked for sign-in access without a clear reason. The research lists 108 extensions by name and ID, and recommends removing any match immediately.
The highest-risk case appears to be the Telegram extension that repeatedly exfiltrated web session data. Anyone who used it while logged into Telegram Web should terminate other Telegram sessions from the mobile app, and users who signed into one of the Google-linked extensions should review account access and revoke anything unfamiliar.