108 Chrome Extensions in Google's Official Store Are Stealing OAuth2 Tokens. All of Them Are Still Available to Download.
Socket Security identified a coordinated campaign of 108 malicious Chrome extensions under five publisher identities — all routing stolen Google OAuth2 tokens and Telegram session data to a single shared C2 server. 20,000 users are already affected. As of April 15, 2026, not one extension has been removed.
A coordinated campaign of 108 malicious Chrome extensions targeting Google OAuth2 token theft has been identified inside the official Chrome Web Store — and as of April 15, 2026, every one remains live and available to download.
Socket Security's Threat Research Team published their findings on April 14, revealing that 108 extensions distributed under five distinct publisher identities route stolen Google credentials, OAuth2 Bearer tokens, and Telegram session data to a single command-and-control server at 144.126.135[.]238. The campaign has accumulated approximately 20,000 installs across categories engineered to appear trustworthy: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and browser utilities.
The attack surface this campaign exploits is not a narrow one. An OAuth2 Bearer token grants credential-free, persistent access to Google services — email, Drive, Calendar, and any Google Workspace application — for as long as the token remains valid. In enterprise environments where employees authenticate to business tools through Google SSO, a stolen OAuth2 Bearer token is not simply a credential theft event. It is a lateral movement pre-position. The attacker does not need a password. They do not need to bypass MFA. They need the token — and 54 extensions in this campaign have been silently exfiltrating exactly that.
Google was notified by Socket on April 14. As of April 15, none of the 108 extensions had been removed from the Chrome Web Store. The 20,000 users who installed them have already had their account identity transmitted to attacker infrastructure. For enterprises where browser extension installation is unmanaged or loosely governed, this campaign is not a theoretical risk. It is active, coordinated, and still running.
Campaign architecture: five publisher identities, one shared C2 backend
Socket Security's researchers identified 108 malicious Chrome extensions connected by a single shared backend infrastructure. Despite appearing to come from different developers, all 108 extensions route data to the same C2 at IP address 144.126.135[.]238, using the domain mines[.]cloudapi[.]stream.
The threat actor published the extensions under five distinct publisher identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. The categories were deliberately chosen to mimic legitimate utility and entertainment extensions: Telegram sidebar assistants, slot machine games, Keno games, YouTube and TikTok enhancers, and text translation tools. These categories attract both casual users and business users looking for productivity shortcuts.
By distributing 108 extensions across five publisher identities and multiple unrelated categories, the threat actor reduces the likelihood of pattern detection by automated review systems. A single malicious publisher with 108 extensions would trigger scrutiny; five publishers with roughly 20 extensions each across gaming, productivity, and messaging categories is far easier to conceal in a store hosting over 130,000 extensions.
Russian-language comments were discovered embedded in the source code of multiple extensions during analysis — a linguistic attribution indicator, though confirmed nation-state involvement has not been established. The shared C2 backend is the definitive fingerprint that ties the campaign together.
OAuth2 Bearer token theft: what attackers can do with your Google identity
The most operationally dangerous component of this campaign is the OAuth2 token theft cluster. Fifty-four of the 108 extensions use Chrome's chrome.identity.getAuthToken API to silently extract authenticated user data without any visible prompt.
When a user installs one of these extensions and clicks the embedded sign-in button, the extension requests a Google OAuth2 Bearer token. The following data is transmitted to mines[.]cloudapi[.]stream/auth_google: the user's Google email address, full name, profile picture URL, Google account identifier, and the OAuth2 Bearer token itself.
An OAuth2 Bearer token is not a password — it is more dangerous than a password in several respects. It provides immediate, authenticated access to Google APIs without a credential prompt. It bypasses multi-factor authentication entirely, since MFA was already completed when the token was issued. And in enterprise environments where Google Workspace is the SSO provider for business applications — Salesforce, Slack, GitHub, Atlassian, and hundreds of others — a valid Google OAuth2 token can be the key to an organisation's entire SaaS application estate.
For organisations that have been tracking the ShinyHunters Salesforce breach covered in our recent dark web intel post, this OAuth2 token attack completes a related picture: the cloud identity infrastructure powering enterprise SaaS is under simultaneous attack across multiple vectors. Browser-level credential theft and cloud misconfiguration exploitation both lead to the same destination — unauthorised access to business-critical systems without triggering an MFA challenge.
“54 extensions steal Google account identity via OAuth2. Users who clicked the sign-in button have had their email, name, profile picture, account ID, and OAuth2 Bearer token transmitted to attacker infrastructure.”
— Socket Security Threat Research Team — April 14, 2026
The backdoor cluster: 45 extensions that execute arbitrary code on every browser launch
A separate cluster of 45 of the 108 extensions carries a different capability: a universal backdoor that activates on browser startup.
When Chrome launches on an endpoint where one of these 45 extensions is installed, the extension contacts the C2 server at 144.126.135[.]238 and receives a URL to open. The extension then navigates the browser to that URL without any user interaction. The attacker controls which URL is served — and can change it at any time without pushing an extension update.
At minimum, this backdoor enables ad fraud: silently loading ad-serving pages in background tabs generates fraudulent impressions without visible activity. At worst, the C2-supplied URL can be a phishing page, a credential-harvesting site, a malicious download, or a page targeting a browser vulnerability. The April 2026 Patch Tuesday advisory identified multiple actively exploited browser vulnerabilities — an extension backdoor capable of targeting those flaws on every Chrome startup creates a compounded risk chain that requires only a single extension installation to initiate.
This persistence mechanism is particularly significant in enterprise environments where browsers are launched at the start of every working day on the same managed endpoint. A backdoor that runs every morning, on every affected endpoint, reaching out to attacker-controlled infrastructure for instructions, represents a durable and reliable attacker foothold that survives most conventional remediation actions short of explicit extension removal.
Telegram session hijacking: one extension, exfiltrating every 15 seconds
The most technically precise component of the campaign is the Telegram session hijacking extension, identified by Chrome extension ID obifanppcpchlehkjipahhphbcbjekfa.
Any user who had this extension installed and opened web.telegram.org had their Telegram Web session continuously exfiltrated. The extension extracts the entire contents of Telegram Web's localStorage — containing session tokens, account identifiers, and message-handling state — every 15 seconds, transmitting each snapshot to the attacker's C2 server.
The extension does not stop at exfiltration. It accepts inbound commands from the C2 server that can overwrite the victim's Telegram Web localStorage with attacker-supplied session data, then force a page reload. The practical effect is a silent account swap: the victim's Telegram Web session is replaced with the attacker's, giving the attacker full control of the Telegram account through the victim's browser without any visible indication that the account has been compromised.
For organisations where Telegram is used for operational communications — a common pattern in technology, finance, and media — this extension gives attackers direct access to internal messaging channels, contact lists, and files shared through Telegram Web. The 15-second exfiltration interval ensures that even a brief Telegram Web session is captured before the user closes the tab.
“The extension exfiltrates Telegram Web localStorage every 15 seconds. It also accepts commands to overwrite the victim's session with the attacker's — effectively swapping accounts without any visible indication.”
— Socket Security research disclosure — April 14, 2026
Indicators of compromise
The following IOCs were published by Socket Security on April 14, 2026. Block C2 infrastructure at the network layer and hunt for the publisher identities in your browser extension inventory.
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| 144.126.135[.]238 | C2 IP Address | Shared backend infrastructure for all 108 malicious extensions |
| mines[.]cloudapi[.]stream | C2 Domain | Primary C2 domain; /auth_google endpoint handles OAuth2 token exfiltration |
| obifanppcpchlehkjipahhphbcbjekfa | Chrome Extension ID | Telegram Multi-account — exfiltrates localStorage every 15 seconds and accepts session swap commands |
| Yana Project | Publisher Identity | Malicious publisher identity; remove all extensions published under this account |
| GameGen | Publisher Identity | Slot machine and Keno games publisher; extensions target OAuth2 theft |
| SideGames / Rodeo Games / InterAlt | Publisher Identity | Three remaining malicious publisher identities; audit and remove all extensions from these accounts |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Enterprise remediation: six actions to take right now
Six immediate actions for security and IT teams:
Audit all browser extensions on managed endpoints
Use Chrome Enterprise reporting, Intune, or osquery to pull a full inventory of installed Chrome extensions across your fleet. Filter for any extensions published under Yana Project, GameGen, SideGames, Rodeo Games, or InterAlt. Remove all matching extensions without waiting for user self-reporting. If you cannot pull a fleet-wide inventory today, that visibility gap is itself a critical finding requiring immediate remediation.
Block C2 infrastructure at the network perimeter
Add 144.126.135[.]238 and mines[.]cloudapi[.]stream to your firewall blocklist, DNS sinkhole, and proxy blocklist immediately. Any endpoint attempting to reach this infrastructure after today should trigger an incident response alert. Network-level blocking halts ongoing exfiltration from already-installed extensions while endpoint removal proceeds.
Require affected users to revoke all OAuth2 tokens
Direct affected users — or push via Google Workspace Admin — to navigate to Google Account > Security > Third-party apps with account access and revoke all active OAuth2 grants. Extension removal alone is insufficient: stolen Bearer tokens remain valid after an extension is uninstalled. Token revocation must be a separate explicit step. Revoked tokens cannot be reused by the attacker even if they retain the token string.
Enforce Chrome extension allowlisting via enterprise policy
Use Chrome Browser Cloud Management, Intune, or Group Policy to enforce extension allowlisting. In the absence of an existing allowlist, configure a blocklist denying installation of extensions from unvetted publishers and those requesting chrome.identity API access. Extensions requesting access to all URLs combined with identity APIs should require explicit security review before approval.
Hunt for Telegram Web session anomalies on managed endpoints
If Telegram Web is used in your organisation, hunt for the extension ID obifanppcpchlehkjipahhphbcbjekfa across endpoint telemetry. Any endpoint with this extension that also accessed web.telegram.org should be treated as having a compromised Telegram session. Require those users to terminate all Telegram Web sessions via Telegram mobile app Settings > Devices, then log out of all active sessions.
Establish a formal browser extension vetting process
This campaign succeeded because browser extensions are routinely installed without security review. Implement a formal vetting process: require business justification, review permissions and publisher history, and enforce security approval before any new extension reaches managed endpoints. The Chrome Web Store's review process has proven insufficient to prevent coordinated campaigns of this type — organisational policy must compensate.
The bottom line
The 108 malicious Chrome extension campaign shows how browser extension attack surface is being operationalized at scale. The Chrome Web Store is a trusted distribution channel — users install extensions without the scrutiny they would apply to standalone executables. The malicious Chrome extensions OAuth2 token theft campaign exploits that trust systematically, using five publisher identities, 108 extensions, and a shared C2 to extract Google credentials across 20,000 installs.
The 20,000 users already affected have had their Google account identity exfiltrated. If your organisation has employees who installed extensions from Yana Project, GameGen, SideGames, Rodeo Games, or InterAlt, assume those Google identities are in attacker hands. Revoke tokens. Remove extensions. Block C2 infrastructure. Then build the extension governance process that would have stopped this before the first install.
Frequently asked questions
What is a Google OAuth2 Bearer token and why is stealing one dangerous?
An OAuth2 Bearer token grants access to Google services — email, Drive, Calendar, Workspace — without requiring a username or password. Any attacker holding a valid Bearer token can authenticate to Google APIs as the token owner. Stolen tokens bypass MFA entirely: the token proves authentication already occurred. In enterprises using Google SSO, a stolen token unlocks every connected SaaS application.
How did these malicious Chrome extensions steal OAuth2 tokens?
The 54 token-stealing extensions used Chrome's chrome.identity.getAuthToken API — a legitimate browser API for Google Sign-In — to silently request and extract the user's Google email, full name, profile picture URL, account ID, and OAuth2 Bearer token. This data was transmitted to attacker infrastructure at mines[.]cloudapi[.]stream/auth_google with no visible prompt to the user.
Are the 108 malicious Chrome extensions still live in the Chrome Web Store?
As of April 15, 2026 — one day after Socket Security notified Google — all 108 extensions remained available for download. Extensions were published under five accounts: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. Any user who installed extensions from these publisher accounts should audit their browser and revoke Google OAuth2 tokens immediately.
What is the C2 infrastructure behind this Chrome extension campaign?
All 108 malicious extensions share a single backend at IP 144.126.135[.]238, using domain mines[.]cloudapi[.]stream. The OAuth2 exfiltration endpoint is mines[.]cloudapi[.]stream/auth_google. Sharing one C2 across 108 extensions confirms a single coordinated threat actor. Block this IP and domain at your network perimeter to halt ongoing exfiltration.
How does the Telegram session hijacking extension work?
Extension ID obifanppcpchlehkjipahhphbcbjekfa extracts Telegram Web localStorage — containing session tokens and account data — every 15 seconds and sends it to the attacker's C2. It also accepts commands from the C2 to overwrite the victim's localStorage with attacker session data, silently swapping Telegram accounts without any visible indication to the victim.
What should enterprise security teams do about this Chrome extension campaign?
Immediately audit extension inventory on all managed endpoints. Remove extensions from Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. Block 144.126.135[.]238 and mines[.]cloudapi[.]stream at the network layer. Require affected users to revoke OAuth2 grants at Google Account > Security > Third-party apps. Enforce extension allowlisting via Chrome Enterprise or Intune.
Who is behind the 108 malicious Chrome extensions?
Attribution is unconfirmed. Socket Security found Russian-language comments embedded in multiple extensions' source code, suggesting a Russian-speaking threat actor. The shared C2 infrastructure and operational sophistication — 108 extensions across five publisher identities in coordinated categories — indicate a single organised actor rather than independent opportunists.
How is this extension attack different from a phishing attack?
Phishing requires a victim to enter credentials on a fake page. This campaign requires only an extension installation. Once active, extensions silently extract OAuth2 tokens via legitimate browser APIs with no phishing page, no credential prompt, and no anomalous behaviour visible to the user. From a detection standpoint, the attack is nearly invisible without explicit browser extension monitoring.
Sources & references
- Socket Security — 108 Chrome Extensions Linked to Data Exfiltration and Session Theft
- The Hacker News — 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users
- BleepingComputer — Over 100 Chrome Web Store Extensions Steal User Accounts, Data
- gHacks Tech News — Over 100 Malicious Chrome Extensions Steal Google Tokens, Hijack Telegram Sessions
- Cybernews — Over 100 Chrome Extensions Flagged for Stealing User Data
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.