Update Highlights
- Threat Identified: A coordinated cyber espionage campaign has been confirmed, utilizing 108 malicious Chrome extensions with a collective 20,000 installs.
- Primary Risk: The extensions were designed to steal user data, including Google account credentials and Telegram session cookies, via a shared command-and-control (C2) infrastructure.
- Detection Status: The associated infrastructure, such as the domain meteora-home.xyz, has shown a low profile on threat intelligence feeds, with VirusTotal reporting 0 detections out of 95 scanners at the time of discovery.
Stop what you're doing and open your Chrome browser. Right now. Security researchers just found 108 fake extensions sitting in the Chrome Web Store, and they've already been installed tens of thousands of times. This isn't some minor bug. It's a full-scale data heist, built to steal your Google logins, hijack your Telegram chats, and vacuum up everything else in your browser. If you've added any extensions lately, you need to check.
Update Overview
- Threat Name: Malicious Chrome Extension Campaign / "Storm" Infostealer Variant
- Update Type: Critical Security Alert & Remediation
- Rollout Status: Threat is active; remediation requires manual user action.
- Region: Global. This is a web-based threat not limited by geography.
- Security Patch Level: Not applicable. This is not a software update but an active threat requiring extension removal.
Here's the thing: this isn't a patch you can wait for. The bad code is already on your machine if you installed one of these extensions. Google can yank them from the store, but that doesn't scrub them from your browser. The only fix is for you to go in and delete them yourself.
Eligible Devices and Rollout Schedule
This threat doesn't care if you're on Windows, Mac, or a Chromebook. If you run Chrome and you installed a bad extension, you're vulnerable. Full stop.
Affected Platforms
- Windows PCs with Chrome: At risk if malicious extensions are installed.
- macOS Computers with Chrome: At risk if malicious extensions are installed.
- Linux Systems with Chrome: At risk if malicious extensions are installed.
- ChromeOS Devices: At risk if malicious extensions are installed.
Rollout Schedule - Threat Activity
| Platform | Region | Status | Expected Date |
|---|---|---|---|
| Google Chrome Browser | Global | Threat Active | Ongoing |
| Chrome Web Store | Global | Extensions being removed | Gradual takedown |
India Rollout Note: For threats of this nature, there is no staged regional rollout. The risk is instantaneous and global. Indian users are as vulnerable as users anywhere else if they have installed one of the malicious extensions. The process for checking and removing extensions is identical worldwide.
How the Malicious Extensions Operate
The whole operation was weirdly centralized. All 108 different extensions phoned home to the same secret server. That single command post collected the stolen data and could send new orders back to every infected browser at once. It's a spider web, and the extensions are just the threads.
Data Theft Mechanism
They weren't after just anything. They wanted the keys to your digital life.
- Google Account Hijacking: The malware grabbed login cookies and credentials. With those, an attacker gets your Gmail, your Drive, your Photos. They become you.
- Telegram Session Hijacking: It also snatched Telegram session cookies. That means they could slide into your DMs without a password or 2FA, reading private messages and posing as you.
- General Browser Data: And of course, it took whatever else it could find: saved passwords, your history, autofill details. The whole digital pantry.
Connection to the "Storm" Infostealer
The method here is a dead ringer for the "Storm" infostealer. The sneaky part is how it handles your data. Old-school stealers would decrypt your info on your own computer, which could set off alarms. This one just bundles it up, encrypts it, and shoots the whole package straight to the attacker's server. Your security software sees encrypted traffic and thinks nothing's wrong. Research from Varonis highlights this technique as a major reason these campaigns are so hard to spot.
Detection Challenges and Low Profile Threats
What makes this campaign so effective is how well it hid. The attackers used domains like meteora-home.xyz that had no reputation, good or bad.
- VirusTotal Scans: When researchers found it, VirusTotal showed 0 detections for that domain across 95 different security scanners. It was a ghost.
- Extension Approval: Somehow, all 108 extensions slipped past the Chrome Web Store's review process. That official stamp is what convinced over 20,000 people to click "Add to Chrome."
That's the playbook. Use fresh, unknown infrastructure and ride that wave of invisibility for as long as possible before anyone catches on.
The Bigger Picture: A Web of Compromise
This isn't a one-off. It's a link in a very nasty chain. The credentials stolen here don't just vanish. They get sold.
- Breached Databases: Separate reports are detailing leaks like a "World Wide Websites Haked Pssw0rds Database" with 212,000 user records. That's where your Google password could end up, packaged with 886 GB of other stolen data for the highest bidder.
- Website Compromises: And the attacks keep evolving. One client saw their homepage replaced with Chinese text overnight, which cratered their search traffic by 90%. It's all connected. A stolen Google cookie from this campaign can be used to bypass security, launch phishing attacks from a "trusted" account, or spy on a company.
The damage doesn't stop when you remove the extension. It just moves to the next phase.
How to Download and Install (Remediation Steps)
Forget downloading. You need to start deleting. Here's how to clean your browser.
- Open Google Chrome.
- Get to Your Extensions. Click the three dots in the top-right. Go to Extensions {">"} Manage extensions.
- Scrutinize Everything. Look at every single extension. If you don't remember installing it, if the name is vague like "WebHelper" or "PDF Viewer Plus," remove it. Don't trust it.
- Remove the Bad Ones. Click Remove on anything suspicious.
- Change Your Passwords. Do not skip this. Change your Google password and your Telegram password immediately. Turn on two-factor authentication for both if it's off.
- Clear Your Cookies. Go to Chrome Settings > Privacy and security > Clear browsing data. Select "Cookies and other site data" and "Cached images and files." This kills any active stolen session tokens.
Pre-Checklist: Maybe jot down your legit extensions before you start deleting, so you don't nuke something you need. And make sure you know how to recover your Google account, just in case.
"I don't see the extensions?" Google might have already deleted them from the Web Store, but that doesn't uninstall them from *your* browser. You have to check the extension management page yourself.
Should You Take Action Right Away?
Act immediately if... you've installed any new extensions in the last few months, your browser feels slow or weird, or you get a Google alert about a strange sign-in. Assume you're compromised until you prove otherwise.
You should still conduct an audit even if... you're careful. These extensions looked real enough to pass Google's checks. A quick review is the easiest security win you'll get all year.
Frequently Asked Questions
How do I know if I installed one of the bad extensions?
Cross-reference your extensions list with reports from BleepingComputer or The Hacker News. When in doubt, take it out. If you didn't consciously install it, get rid of it.
I removed the extension. Am I safe now?
You've stopped the bleeding, but the thief might already have your stuff. Changing your passwords is non-negotiable. That's how you change the locks.
Will antivirus software detect these extensions?
Probably not. The domains used were designed to fly under the radar, so traditional antivirus likely never got a signature for them.
Are users in India specifically targeted?
No. This is a global spray-and-pray attack. If you installed it, you're a target. Geography doesn't matter.
Does this affect other browsers like Edge or Safari?
This specific batch was for Chrome. But the same threat exists everywhere. Edge uses the same extension store. Safari and Firefox have their own markets full of risky add-ons.
What if I use the extension for work?
If you have any doubt, remove it first and ask questions later. Tell your IT team what happened and ask for a vetted alternative. Your company's data is on the line, too.
Final Thoughts
The Chrome Web Store has a malware problem, and Google's review process is a sieve. We keep seeing these massive, coordinated extension campaigns because they work. They're low-cost, high-reward, and terrifyingly effective at stealing identities. So do the audit. Change your passwords. This is the modern equivalent of checking your door locks. You can't trust the storefront anymore. You have to guard your own browser.
Sources
- thehackernews.com
- cybersecuritynews.com
- BleepingComputer.com
- phishdestroy.io
- linkedin.com
- tiktok.com