- 54 extensions steal Google account identity via OAuth2;
- 1 extension actively exfiltrates Telegram Web sessions every 15 seconds;
- 1 extension includes staged infrastructure for Telegram session theft (not yet activated);
- 2 extensions strip YouTube security headers and inject ads;
- 1 extension strips TikTok security headers and injects ads;
- 2 extensions inject content scripts into every page the user visits;
- 1 extension proxies all translation requests through the threat actor’s server;
- 45 extensions contain a universal backdoor that opens arbitrary URLs on browser start.
You must log in or # to comment.