108 Malicious Chrome Extensions Harvest Google & Telegram Data, Impacting ~20K Users
What Happened — Researchers identified a coordinated campaign of 108 malicious Chrome extensions that share a single command‑and‑control (C2) infrastructure. The extensions silently exfiltrate Google account credentials, Telegram session tokens, and browsing activity, then inject ads and arbitrary JavaScript into every visited page. Approximately 20,000 end‑users have been confirmed as victims.
Why It Matters for TPRM
- Browser‑based supply‑chain attacks bypass traditional network defenses and can compromise any organization whose employees install unvetted extensions.
- Stolen credentials and messaging tokens provide attackers with footholds for further lateral movement and social engineering.
- The campaign demonstrates how third‑party software (browser extensions) can become a data‑exfiltration vector across multiple industries.
Who Is Affected — Enterprises with employees using Google Workspace or Telegram on Chrome; sectors such as technology, finance, professional services, education, and government that rely on these platforms.
Recommended Actions
- Conduct an inventory of all approved Chrome extensions across the organization and enforce a whitelist‑only policy.
- Re‑educate users on the risks of installing extensions from unverified sources; implement browser hardening controls (e.g., Chrome Enterprise policies).
- Monitor network traffic for outbound connections to the identified C2 domains and for anomalous credential usage.
Technical Notes — Attack vector: malicious browser extensions (MALWARE). No public CVE; data types stolen include Google OAuth tokens, Telegram session cookies, browsing history, and injected ad payloads. Source: The Hacker News