Chrome Web Store Hosts 108 Token-Stealing Extensions
Security researchers discovered 108 malicious browser extensions distributed through Google's official Chrome Web Store on April 14, 2026. These extensions specifically target Google OAuth2 Bearer tokens, which provide authenticated access to Google services without requiring users to re-enter passwords. The malicious code operates by intercepting authentication flows and exfiltrating sensitive tokens to attacker-controlled servers.
The campaign represents a sophisticated supply chain attack leveraging the trusted Chrome Web Store ecosystem. Unlike traditional malware distribution through suspicious websites, these extensions passed Google's automated review process and appeared legitimate to unsuspecting users. Each extension employed obfuscated JavaScript code designed to evade detection while maintaining normal functionality to avoid user suspicion.
The malicious extensions operate through multiple attack vectors simultaneously. Primary functionality includes OAuth2 token harvesting, where extensions monitor browser authentication requests and extract Bearer tokens during Google service logins. Secondary payloads deploy persistent backdoors that establish command-and-control communication channels with remote servers. Additional modules execute ad fraud schemes by generating artificial clicks and impressions to monetize compromised browser sessions.
Discovery occurred when security researchers at The Hacker News identified suspicious network traffic patterns from multiple Chrome installations. Analysis revealed consistent data exfiltration to domains registered within the past 90 days, indicating a coordinated campaign rather than isolated incidents. The extensions maintained low profiles by limiting malicious activity frequency and targeting specific user demographics to avoid mass detection.
Technical analysis shows the extensions utilize legitimate Chrome APIs for permissions escalation. They request broad access to browsing data, cookies, and active tabs under the guise of productivity or utility features. Once installed, the malicious code monitors XMLHttpRequest and Fetch API calls to identify OAuth2 authentication flows. Token extraction occurs through DOM manipulation and JavaScript injection targeting Google's authentication endpoints.
Chrome Users and Google Service Access at Risk
The malicious extensions primarily affect Chrome browser users who installed any of the 108 identified extensions from the official Web Store. Google has not disclosed the exact download counts, but security researchers estimate potential exposure in the hundreds of thousands based on typical extension adoption patterns. Users with active Google Workspace accounts, Gmail access, and Google Cloud Platform credentials face the highest risk due to the value of their OAuth2 tokens.
Enterprise environments represent particularly attractive targets for attackers. Organizations using Google Workspace for business operations, single sign-on implementations, and cloud resource management could face lateral movement attacks if employee browsers become compromised. The stolen OAuth2 tokens provide persistent access to Google services without triggering additional authentication prompts, enabling prolonged unauthorized access to corporate data and systems.
Geographic distribution analysis indicates the campaign targeted users globally, with no specific regional focus. However, extensions marketed in English and featuring productivity-focused descriptions suggest primary targeting of business users and technical professionals. The broad Chrome Web Store distribution ensures maximum reach across different user segments and organizational types.
Individual users face risks including unauthorized access to Gmail accounts, Google Drive files, Google Photos collections, and YouTube channels. The OAuth2 token theft enables attackers to access these services from different devices and locations without triggering security alerts that typically accompany suspicious login attempts from new locations or devices.
Immediate Response and Chrome Extension Security
Chrome users must immediately audit their installed extensions through the chrome://extensions/ interface. Remove any recently installed extensions that request broad permissions for browsing data, cookies, or tab access unless absolutely necessary for legitimate functionality. Pay particular attention to extensions installed within the past 90 days that offer vague productivity or utility features without clear value propositions.
Google has begun removing identified malicious extensions from the Chrome Web Store, but users who previously installed them must take manual action. Navigate to Chrome Settings > Privacy and Security > Site Settings > Cookies and other site data, then clear all stored authentication data for Google services. This action invalidates existing OAuth2 tokens and forces fresh authentication flows that bypass compromised credentials.
Organizations should implement immediate Chrome extension policies through Group Policy or Chrome Enterprise controls. Disable automatic extension installation and require administrative approval for all new extensions. Review existing extension inventories across corporate devices and remove any extensions that cannot be verified through official vendor channels or established security reviews.
For comprehensive remediation, users should revoke all active OAuth2 tokens through Google Account security settings. Access myaccount.google.com/security, navigate to "Third-party apps with account access," and remove authorization for any unrecognized applications or services. Enable two-factor authentication on all Google accounts to add additional protection layers beyond OAuth2 tokens.
The CISA Known Exploited Vulnerabilities catalog provides additional guidance for organizations managing browser security risks. Implement network monitoring to detect unusual authentication token usage patterns and establish baseline behaviors for legitimate Google service access. Deploy endpoint detection solutions capable of monitoring browser extension behavior and identifying suspicious network communications from browser processes.
