A major new threat has just been uncovered. Security researchers at Socket identified 108 malicious Chrome extensions that were quietly stealing passwords, Google account data, and browsing sessions from thousands of users. The extensions looked completely normal. Some even worked as advertised. But behind the scenes, they were sending stolen data to servers controlled by attackers.
If your business uses Chrome and most do, this is worth your attention.
What Actually Happened
The 108 extensions were published across five different developer accounts on the Chrome Web Store. They appeared to be separate, unrelated tools, things like YouTube sidebars, Telegram clients, games, and browser utilities.
But they were all connected. Every single one of them sent stolen data to the same command-and-control server, run by the same operator.
Here’s what those extensions were doing in the background:
- Stealing passwords, usernames, and browsing history
- Harvesting Google account identities using OAuth2 tokens
- Hijacking Telegram sessions
- Opening unauthorised URLs automatically when Chrome launched
- Injecting ads into every website visited
Some extensions also specifically targeted Gmail. When a user visited Gmail, the extension would read email content directly from the page and quietly send it off to attacker-controlled servers. All of this happened without the user ever knowing.
The campaign is believed to operate as a Malware-as-a-Service model. That means the stolen data and active sessions were being sold to third parties, not just used by one attacker.
At the time of discovery, all 108 extensions were still available in the Chrome Web Store.
This Is Not a New Problem, It’s a Growing One
This latest campaign is not a one-off. Chrome extensions have become one of the more reliable ways for attackers to get inside a business.
Some extensions start out completely legitimate, then turn malicious later. This happens through ownership transfers, where a developer sells their extension and the new owner pushes a malicious update. Users who had the original, trusted version get the update automatically, with no warning.
Other extensions are built malicious from day one and packaged to look useful enough to earn installs.
The result is the same either way. Once an extension has access to your browser, it can see a lot. It can read what you type, monitor what you visit, interact with your email, and capture your login sessions. For a business, that could mean a compromised Google Workspace account, a data breach, or worse.
Why Businesses Are Especially Exposed
In our own experience at Sentry Cyber, Chrome extension security is one of the most commonly overlooked areas in small and medium business environments.
Many IT teams and managed service providers (MSPs) focus on the obvious things: firewalls, antivirus, patching. That’s important. But the browser often gets ignored entirely. Chrome is not hardened. Extensions are not managed. And staff are free to install whatever looks useful.
That is a real risk, and cases like this one show exactly why.
What Good Chrome Security Looks Like for a Business
The good news is that this problem has a practical solution. It does not require big budgets or complicated technology.
Enrol in Chrome Management Through Google Workspace
If your business uses Google Workspace, you already have access to Chrome management tools. This lets your IT team or administrator control how Chrome is used across all business devices.
One of the most effective things you can do is create an approved extensions list, sometimes called a whitelist. Staff can install any extension on that list freely. If they want to use something that is not on the list, they submit a request. The IT or security team reviews it, and if it is safe, it gets added. If not, it does not get installed.
This one step removes a huge amount of risk. Extensions not on the approved list simply cannot be installed on business devices.
The same approach applies to Chrome web apps. Keeping approved apps to a managed list gives your business far more control over what is running in staff browsers.
Use a Risk Rating Tool
Companies like Spin.ai offer a Chrome extension risk rating service. Each extension gets a score based on the permissions it requests, its code behaviour, and other risk indicators. This can be a useful starting point when reviewing which extensions to approve or remove.
It is not a perfect system, but it adds a layer of evidence to decisions that often get made on gut feel.
Audit What You Already Have
Before you can manage extensions properly, you need to know what is already installed across your business. Many organisations have never done this. Staff have been adding extensions for years, and no one has reviewed them.
A Chrome extension audit looks at what is installed, what permissions those extensions have, whether any are flagged by security researchers, and whether any should be removed immediately.
At Sentry Cyber, we include Chrome extension auditing as part of our comprehensive security risk assessments. It is one of the areas where we consistently find issues that have never been looked at in businesses of all sizes.
What to Do Right Now
If you or your team use Chrome and have not reviewed your extensions recently, here are some practical steps to take today.
For individuals:
- Go to chrome://extensions in your browser
- Remove any extension you do not actively use or recognise
- Check that the extensions you keep are from reputable developers
- If you used a Telegram sidebar extension recently, log out of all Telegram web sessions via your mobile app
- If you signed into any browser game or sidebar using Google, visit myaccount.google.com/permissions and revoke any access you do not recognise
For business owners and managers:
- Talk to your IT team or provider about what Chrome extensions are currently installed across staff devices
- Ask whether Chrome management is set up through Google Workspace
- If it is not, this should be a priority β not a later item
Go Deeper: Our Google Workspace Security eBook
Chrome extension management sits inside a broader picture of Google Workspace security. There is a lot more to get right from admin console settings, to third-party app access, to email authentication records.
We have put together a free eBook that covers Google Workspace security in practical terms for business owners and managers. No technical jargon. Just clear, actionable guidance on what to look at and what to fix.
Download the Sentry Cyber Google Workspace Security eBook here
How Sentry Cyber Can Help
If you are not sure where your business stands with Chrome or Google Workspace security, a good place to start is a conversation.
We offer security risk assessments that cover browser security, Google Workspace configuration, third-party app risks, and a range of other areas that are often missed. We look at what you have, identify the gaps, and give you a clear picture of your actual risk.
We also help businesses set up and manage Google Workspace security properly including Chrome management, approved extension lists, and admin hardening.
If you would like to understand what risks might exist in your environment, book a free discovery call with our team. There is no obligation. We will help you understand where you stand and what makes sense to address first.
Conclusion
Chrome extensions are a normal part of how people work. But they are also a well-established way for attackers to get inside a business. The latest campaign: 108 malicious extensions quietly stealing Google account data from thousands of users is a reminder that browser security cannot be an afterthought.
The fix is not complicated. Managed Chrome through Google Workspace, an approved extensions list, and a regular audit of what is installed will cover most of the risk. If you are not sure where to start, we are here to help.
FAQ
Q: How do malicious Chrome extensions get into the Chrome Web Store? A: Attackers create extensions that look and work like legitimate tools. Some pass Google’s automated review. Others start as genuine extensions and are later updated with malicious code after the developer sells or hands over ownership. Google does remove malicious extensions when they are reported, but they can remain available for weeks or months before that happens.
Q: How would I know if a Chrome extension is stealing my data? A: In most cases, you would not notice anything. These extensions are designed to work in the background without any visible signs. The only reliable way to protect yourself is to limit which extensions can be installed in the first place, which is exactly what Chrome management through Google Workspace allows you to do.
Q: Does Google Workspace automatically protect us from malicious extensions? A: Google Workspace gives you the tools to manage Chrome security, but those tools need to be configured. Simply having a Google Workspace subscription does not mean Chrome is locked down. You need to actively set up Chrome management and define your approved extensions list.
Q: What permissions should I be concerned about when reviewing extensions? A: Extensions that request access to all websites you visit, the ability to read and change data on sites, or access to your browsing history are higher risk. Legitimate extensions usually only request the permissions they genuinely need. If a simple tool is asking for broad access, that is a warning sign.
Q: Can Sentry Cyber help us set up Chrome management for our business? A: Yes. We help businesses configure Chrome management as part of our Google Workspace security services. We can also include a Chrome extension audit in a broader security risk assessment. Get in touch to book a free discovery call.