Chrome add-ons hid a broad data trap

More than 100 Chrome extensions presented as harmless tools for games, social media sidebars and translation have been tied to a coordinated data-harvesting operation that security researchers say exposed user identities, browser sessions and browsing activity through a shared command-and-control network. The campaign, uncovered by Socket’s Threat Research Team and independently checked in part by BleepingComputer, involved 108 extensions listed under five publisher identities and accounted for about 20,000 installs on the Chrome Web Store when the findings were published on 13 and 14 April.

What makes the operation stand out is not just the number of extensions but the breadth of its disguises. The add-ons appeared across categories that would not ordinarily raise alarm: Telegram sidebars, YouTube and TikTok helpers, slot-machine and Keno games, a text-translation utility and other page tools. Researchers said the extensions generally performed the functions they advertised, giving users a working product on the surface while quietly sending data to infrastructure controlled by a single operator. That mix of apparent usefulness and covert surveillance remains one of the most effective formulas in browser-based cybercrime.

The technical findings point to multiple abuse paths. Socket said 54 of the extensions used Chrome’s identity tools to collect Google account profile data, including email address, name, profile image and account identifier, after a user clicked a sign-in button. One extension was found actively exfiltrating Telegram Web sessions every 15 seconds, while another appeared to contain the necessary infrastructure for similar theft that had not yet been switched on. Researchers also identified 45 extensions with a hidden backdoor function that could contact the operator’s server whenever the browser started and then open arbitrary web pages under attacker control, even if the user never interacted with the extension itself.

Other parts of the cluster were built for browser manipulation and monetisation. Socket found five extensions using Chrome’s declarativeNetRequest capability to strip security headers from websites before pages loaded, weakening protections on Telegram, YouTube and TikTok pages. In some cases that allowed ad injection and other interface tampering. The translation extension carried a different risk: every translation request was routed through the operator’s server, meaning the full text submitted by a user could be observed upstream. Researchers said that extension asked only for side-panel access and no host permissions, reducing visible warning signs during installation.

The infrastructure behind the campaign also suggested a durable commercial operation rather than a one-off stunt. According to Socket, all 108 extensions connected to the same backend at cloudapi[.]stream, with subdomains assigned to identity theft, session exfiltration, ad injection, payments, translation traffic and other functions. The researchers said a payment portal and user-account system pointed to a malware-as-a-service model in which stolen identities and sessions could be made available to paying customers. Code comments in Russian and reused privacy-policy material across different extensions added to the impression of centralised authorship, though the public evidence stops short of a definitive attribution to a named group.

The case also revives a stubborn question for Google’s extension ecosystem: why malicious add-ons still make it through official review. Chrome’s own developer guidance states that remotely hosted executable code is not allowed in Manifest V3 extensions and that code executed by the browser must be bundled inside the extension package. Yet the Socket report argues that the extensions breached Chrome Web Store rules in other ways, including misleading privacy declarations and undisclosed routing of sensitive user data to third-party servers unrelated to the advertised service. At the time Socket published its findings, the extensions were still live, and BleepingComputer said it was able to confirm that many remained available when it reported the story.