Application security company **Socket** has identified more than 100 malicious extensions actively operating within the official **Chrome Web Store**. These extensions are designed to steal **Google** OAuth2 Bearer tokens, establish backdoors, and perpetrate ad fraud. The researchers determined that these extensions are part of a coordinated campaign, all communicating with the same command-and-control (C2) infrastructure. The threat actors distributed these extensions under five different publisher identities, spanning categories such as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and general utilities. According to the report, the campaign utilizes a central backend hosted on a Contabo VPS. This backend is divided into multiple subdomains responsible for session hijacking, identity collection, command execution, and monetization. **Socket**'s analysis suggests the involvement of a Russian malware-as-a-service (MaaS) operation, based on comments found in the code related to authentication and session theft.  ### Harvesting Data and Hijacking Accounts The largest cluster of malicious extensions, totaling 78, injects attacker-controlled HTML into the user interface using the ‘innerHTML’ property. This allows the attackers to manipulate the content displayed to the user. The second-largest group, comprising 54 extensions, leverages ‘chrome.identity.getAuthToken’ to harvest sensitive user data, including email addresses, names, profile pictures, and **Google** account IDs. These extensions also target the **Google** OAuth2 Bearer token, a short-lived credential that grants applications access to a user's data or the ability to act on their behalf. Compromising this token allows attackers to impersonate the user.  A third group of 45 extensions includes a hidden function that runs upon browser startup. This function acts as a backdoor, fetching commands from the C2 server and capable of opening arbitrary URLs without requiring any user interaction. One particularly concerning extension highlighted by **Socket** steals **Telegram** Web sessions every 15 seconds. It extracts session data from ‘localStorage’ and the session token for **Telegram** Web, transmitting this information to the C2. “The extension also handles an inbound message (set_session_changed) that performs the reverse operation: it clears the victim's localStorage, overwrites it with threat actor-supplied session data, and force-reloads Telegram,” **Socket** explains. “This allows the operator to swap any victim's browser into a different **Telegram** account without the victim's knowledge.” The researchers also identified three extensions designed to strip security headers and inject advertisements into **YouTube** and **TikTok**, one extension that proxies translation requests through a malicious server, and a non-active **Telegram** session theft extension utilizing staged infrastructure. **Socket** has reported the campaign to **Google**, but at the time of their report's publication, all malicious extensions remained available on the **Chrome Web Store**. BleepingComputer has confirmed that many of the extensions listed in **Socket**’s report are still active. They have reached out to **Google** for comment but have not yet received a response. Users are strongly advised to check their installed extensions against the IDs published by **Socket** and immediately uninstall any matches.