100+ Malicious Chrome Extensions in Web Store Steal Google OAuth Tokens and Deploy Backdoors

More than 100 malicious extensions in the official Chrome Web Store have been discovered actively stealing Google OAuth2 Bearer tokens, deploying backdoors, and conducting ad fraud. The extensions abuse broad permissions (cookies, storage, tabs) to silently exfiltrate authentication tokens, granting attackers persistent access to Google accounts without requiring a password.

OAuth token theft is particularly dangerous because it bypasses multi-factor authentication entirely. A stolen Bearer token is a live session credential with no additional challenge.

Users should immediately audit installed Chrome extensions, removing anything recently added or unfamiliar. Revoke OAuth grants for suspicious third-party applications via Google Account security settings. Organizations should enforce an allowlist of approved extensions via browser management policy and review existing extension permissions across their user base.