{"id":235190,"date":"2026-04-14T22:21:19","date_gmt":"2026-04-15T03:21:19","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/04\/108-malicious-chrome-extensions-steal-google-and-telegram-data-affecting-20000-users"},"modified":"2026-04-14T22:21:19","modified_gmt":"2026-04-15T03:21:19","slug":"108-malicious-chrome-extensions-steal-google-and-telegram-data-affecting-20000-users","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/04\/108-malicious-chrome-extensions-steal-google-and-telegram-data-affecting-20000-users","title":{"rendered":"108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/108-malicious-chrome-extensions-steal-google-and-telegram-data-affecting-20000-users.jpg\"><\/a><\/p>\n<p>Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited.<\/p>\n<p>According to Socket, the extensions (complete list <a href=\"https:\/\/socket.dev\/blog\/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2#:~:text=Chrome%20Extension%20IDs\" rel=\"nofollow\" target=\"_blank\">here<\/a>) are published under five distinct publisher identities \u2013 Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt \u2013 and have collectively amassed about 20,000 installs in the Chrome Web Store.<\/p>\n<p>\u201cAll 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator,\u201d security researcher Kush Pandya <a href=\"https:\/\/socket.dev\/blog\/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2\">said<\/a> in an analysis.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited. According to Socket, the extensions [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-235190","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/235190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=235190"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/235190\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=235190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=235190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=235190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}