🔍 What’s Happening?
Researchers found that all extensions communicate with the same malicious server. They were published under fake developer identities to appear legitimate.
These extensions can:
- Steal Google account data via OAuth2
- Hijack Telegram web sessions
- Inject ads and malicious scripts into websites
- Track user activity and browsing data
⚠️ Key Threats
- Telegram sessions stolen every 15 seconds
- Backdoor access to open malicious URLs
- Removal of security protections on major platforms
- Full browser-level script injection
🎭 How They Spread
The extensions disguise themselves as:
- Telegram tools
- Games
- YouTube/TikTok enhancers
- Translation tools
🛡️ What You Should Do
- Remove suspicious extensions immediately
- Log out of Telegram Web sessions
- Change your Google password
- Enable two-factor authentication