More than 100 Chrome extensions have been tied to a widespread campaign that harvested identity data, paved the way for a background-style browser, and in some cases siphoned Telegram Web session data. The researchers linked 108 add-ons to the same control network, with about 20,000 extensions installed in the Chrome Web Store at the time the findings were published.
What makes this one so striking is the range. Extensions have appeared such as Telegram tools, slot and Keno games, translation services, YouTube and TikTok assistants, and basic page tools, which have helped the functionality to be integrated into the kind of things people install without much thought. See the full list here.
Researchers said the extensions were still in place when the report went up, and takedown requests had already been submitted. That gives this story a practical edge for Chrome users who haven’t tested their add-ons in a while.
The worst behavior was never the same
Damage is not limited to one trick. The study found that 54 extensions collected Google account credentials after a user clicked the sign-in button, while one Telegram-focused extension extracted data about an active Telegram Web session every 15 seconds. Another 45 include a routine that can open arbitrary URLs whenever Chrome starts, even if the user has never opened an extension that day.
Some plugins strip security protections from sites like the Telegraph, YouTube, and TikTok before injecting overlays, ads, or text onto pages. One translation tool also moved the text sent through the user’s server, answering the simple question of monitoring risk.
Why this should concern regular Chrome users
The main problem was how common the bait looked. These weren’t just obscure tools for power users. The list included games, browser helpers, sidebar clients, and translation add-ons, exactly the kind of add-ons that people pick up because the store page looks polished and the feature seems useful.
Extensions tend to fade into the background once installed. In this case, the researchers traced the activity from that mixed bag of tools back to the same back-end infrastructure, which turned a seemingly random bunch of add-ons into a single task with few ways to collect data or change the browsing experience.
Check your extensions now
The next smart move is to check Chrome’s built-in features, especially anything related to Telegram, light games, translation, or sidebar utilities that request login access for no apparent reason. The study lists 108 extensions by name and ID, and recommends deleting any matches immediately.
The most dangerous case appears to be a Telegram extension that repeatedly leaked web session data. Anyone who used it while logged in to Telegram Web should disconnect other Telegram sessions from the mobile app, and users signed in to one of the Google-linked extensions should review account access and cancel anything they’re unfamiliar with.
