More than 100 Chrome extensions were linked to a wide-ranging campaign that collected identity data, opened backdoor-style browser behavior and, in one case, exfiltrated Live Telegram web session data. The researchers linked 108 add-ons to the same control network, with approximately 20,000 installations logged across the Chrome Web Store at the time the results were published.
What makes this punch harder is the range. The extensions were Telegram tools, slot and keno games, translation programs, YouTube and TikTok helpers, and basic site tools that helped make the process fit into the sort of things people install without much thought. The full list can be found here.
Researchers said the extensions were still active when the report was published and takedown requests had already been filed. That gives this story a very handy benefit for Chrome users who haven’t checked their add-ons in a while.
The worst behavior was not the same for everyone
The damage was not limited to one trick. The investigation found that 54 extensions collected a Google account’s identity data after a user clicked a login button, while a Telegram-targeted extension exfiltrated active Telegram web session data every 15 seconds. Another 45 contained a routine that could open arbitrary URLs every time Chrome was started, even if the user had never opened the extension that day.
Other add-ons removed security protections from sites like Telegram, YouTube and TikTok before inserting overlays, ads or scripts into pages. A translation tool also forwarded transmitted texts via the operator’s server, turning a simple helper into a surveillance risk.
Why this should worry regular Chrome users
The bigger problem is how ordinary the bait looked. These weren’t just obscure tools for power users. The list included games, browser utilities, sidebar clients, and translation add-ons, exactly the kind of extras people use because the store page looks slick and the feature seems useful.
Additionally, extensions tend to fade into the background once installed. In this case, researchers attributed the activity of these mixed tools to the same backend infrastructure that turned a random-looking stack of add-ons into a single operation with multiple ways to collect data or change the browsing experience.
Check your extensions now
The wisest next step is to check what’s installed in Chrome, especially anything related to Telegram, simple games, translations, or sidebar utilities that have been asking for login access for no clear reason. The study lists 108 extensions by name and ID and recommends removing any match immediately.
The highest-risk case appears to be the Telegram extension, which repeatedly filtered out web session data. Anyone who used it while logged into Telegram Web should end other Telegram sessions through the mobile app, and users who logged into any of the Google-linked extensions should review account access and revoke anything unusual.
