108 Malicious Chrome Extensions Caught Stealing Data: Why Locally-Processed PDF Tools Are Different

TL;DR

In April 2026, researchers discovered 108 malicious Chrome extensions communicating with a shared command-and-control server, collectively stealing Google account credentials, Telegram data, and browsing history from roughly 20,000 users. If you use Chrome extensions, this is a wake-up call to audit what is installed. Convert: Web to PDF is architecturally different from these malicious extensions: it processes everything locally in your browser, requests minimal permissions, transmits nothing to external servers, and has no capability to steal credentials.

What happened with the 108 malicious Chrome extensions

In April 2026, security researchers identified a cluster of 108 Chrome extensions operating as a coordinated data-theft campaign. The extensions appeared to be legitimate utilities — productivity tools, download helpers, and screenshot capturers — but were secretly routing stolen data to a shared command-and-control (C2) infrastructure.

Here is what the investigation found:

• 54 extensions targeted Google account credentials via OAuth2 token theft
• 45 extensions contained a universal backdoor that opened arbitrary URLs on browser launch
• All 108 shared C2 server infrastructure, indicating a single operator behind the campaign
• 20,000 combined installs across the Chrome Web Store at time of discovery
• Data stolen: Google and Telegram credentials, browsing history, session cookies, personally identifiable information

The extensions had been in the Chrome Web Store for varying lengths of time. Some had received user reviews, adding a veneer of legitimacy. Google has since removed them, but users who installed any of the 108 remain at risk until they revoke OAuth tokens and change affected passwords.

How the theft worked

The mechanism behind most of the 108 extensions followed a recognizable pattern:

1. Extension installed — user adds what appears to be a useful tool
2. Permissions granted — extension requests broad site access, which user accepts
3. Background data collection begins — extension silently monitors page content and network activity
4. Credentials harvested — OAuth tokens, session cookies, and login data extracted from pages
5. Data exfiltrated — stolen data sent to C2 servers, disguised in normal-looking network traffic

The C2 infrastructure allowed the operator to update the extensions' malicious payloads remotely, meaning extensions that initially appeared clean could become data thieves through a silent update.

The permission red flags that matter

Every Chrome extension requests permissions when you install it. These permissions are the first line of defense against malicious behavior — and the clearest signal of what an extension actually needs to do its job.

High-risk permissions to watch for

Permission	What it means	Risk level
Read and change all data on all websites	Full access to every page you visit	Very high
Read browsing history	Access to your complete URL history	High
Manage your apps, extensions, and themes	Can install/remove other extensions	Very high
Read and change data on specific websites	Access to targeted sites (e.g., banking)	High
Native messaging	Can communicate with programs on your computer	High
Clipboard read/write	Can read everything you copy	Medium-high

The 108 malicious extensions typically requested the "read and change all data on all websites" permission — the broadest possible access. With this permission, the extension can see everything on every page you visit, including login pages, bank accounts, and email.

What minimal-permission extensions look like

By contrast, Convert: Web to PDF requests only what it needs to convert the current tab to PDF:

• Active tab access — only when you click the extension
• No access to other tabs — cannot see what else you have open
• No browsing history — cannot see where you have been
• No credentials or cookies — cannot access authentication data
• No external network access for page content — conversion happens locally

This is the principle of least privilege applied to browser extensions. An extension that does less requests less. An extension that requests less can steal less.

Architectural differences: data theft vs. PDF conversion

Understanding why locally-processed extensions like Convert: Web to PDF are structurally different requires looking at the architecture.

How malicious data-theft extensions work

Your browser → Extension → User's page content
                    ↓
              Background script
                    ↓
              External C2 server ← stolen data sent here

The extension acts as a man-in-the-middle between you and the pages you visit. It intercepts content, extracts valuable data, and transmits it externally. The user sees the extension doing something "useful" (or nothing at all), while the real work happens invisibly in the background.

How Convert: Web to PDF works

Your browser → Extension → Active tab content
                    ↓
              Chrome DevTools Protocol
                    ↓
              Local PDF generation
                    ↓
              PDF saved to your device ← never leaves your machine

There is no external server in this architecture. The extension uses Chrome's own built-in capabilities (the DevTools Protocol) to render and save the page as a PDF on your local device. Nothing is transmitted off your machine.

Why "locally processed" matters for security

The absence of an external server creates several security advantages:

1. No server to breach — There is no backend database storing your documents. Attackers cannot steal what does not exist on a server.
2. No data in transit — There is no network transmission to intercept. Man-in-the-middle attacks have nothing to target.
3. No account credentials needed — You do not log into an account to use the extension. There is no password database to compromise.
4. No persistent access — The extension only activates when you click it. It is not running in the background continuously.

How to check if you installed any of the 108 malicious extensions

If you are concerned, here is how to audit your Chrome extensions:

Step 1: Review installed extensions

Go to chrome://extensions in your address bar. Review every extension listed. Ask yourself:

• Do I recognize this?
• Do I actively use this?
• Do I know what it does?

If the answer to any of these is "no," investigate before keeping it.

Step 2: Check permissions on each extension

Click "Details" on each extension. Look at the permissions listed. Any extension with "Read and change all your data on all websites" deserves scrutiny. Ask: does this tool actually need access to every website I visit?

A PDF converter does not need access to all websites. A download manager probably does not need access to all websites. A spelling checker probably does not need access to all websites.

Step 3: Review OAuth connections

If you use a Google account, go to your Google Account security page and review which third-party apps have access to your account. Revoke access for any you do not recognize or no longer use. This is especially important if any of the 108 extensions used OAuth2 to steal credentials — revoking the token prevents ongoing access even after you remove the extension.

Step 4: Check Telegram sessions

If you use Telegram, open Settings, then Devices (or Active Sessions). Review the list. Log out any sessions you do not recognize.

Step 5: Change affected passwords

If you had any of the 108 extensions installed, treat any passwords you entered in Chrome as potentially compromised. Change passwords for critical accounts — Google, banking, email, work tools.

How to evaluate a Chrome extension before installing

The 108 malicious extensions incident is a reminder that the Chrome Web Store, while curated, is not perfectly safe. Here is a framework for evaluating extensions:

Questions to ask before installing

Does the permission request match the functionality? A PDF converter needs to read the active tab. It does not need to read all websites, access your history, or use native messaging. Mismatched permissions are the clearest red flag.

Is there a clear explanation of how data is handled? Good extensions explain their data handling in their Chrome Web Store listing and privacy policy. "We process everything locally" is specific and verifiable. "We take your privacy seriously" is marketing, not a commitment.

Is development active and transparent? Check the last update date. Check if there is a website, a support email, or a way to contact the developer. Anonymous extensions with no contact information are higher risk.

What does the extension actually need server access for? Some extensions legitimately need servers — cloud sync services, online tools that require processing power. But if an extension's advertised purpose is purely local (converting a file, adjusting a setting, modifying page appearance), it should not need to contact external servers at all.

Red flags in the Chrome Web Store listing itself

• Vague description that does not explain what the extension does
• No developer website or support email
• Very recent first publication date with unusually high install counts
• Reviews that seem generic or formulaic
• Unusual permission requests that do not match the described functionality

Safe PDF tools for Chrome: what to look for

The 108 malicious extensions incident underscores why the architecture of a PDF tool matters as much as its features.

What to look for in a Chrome PDF extension

Feature	Why it matters
Local processing (no server upload)	Documents never leave your device
Minimal permissions	Smaller attack surface
No account required	No credential database to breach
Transparent privacy policy	You can verify the data handling claims
Active development	Security vulnerabilities get patched
No background activity	Extension is not running when you are not using it

How alternatives compare

PrintFriendly — cloud-based, page content is processed on PrintFriendly's servers. Not local.

PDFCrowd — web service, requires uploading or submitting URLs to their servers. Not local.

Adobe Acrobat (Chrome extension) — connects to Adobe's cloud services. Not local.

GoFullPage — takes screenshots that stay local, but its premium features involve cloud sync. Partly local.

Convert: Web to PDF — fully local, uses Chrome's DevTools Protocol, no external server communication for page content, no account required.

What this incident means for extension policy going forward

The 108 extensions campaign is likely to accelerate changes to the Chrome Web Store's review process. Google has already been tightening extension permissions requirements under Manifest V3, which restricts certain APIs that malicious extensions previously exploited.

For users, the practical takeaway is not to stop using extensions — it is to be more intentional about which ones you install and what permissions you grant. The risk is manageable with reasonable hygiene.

For developers of legitimate extensions, the pressure is toward greater transparency: explaining data handling clearly, minimizing permission requests, and preferring local processing over server-side approaches whenever architecturally possible.

Frequently asked questions

How did 108 malicious extensions get into the Chrome Web Store?

Google's Chrome Web Store review process catches many malicious extensions but is not perfect. The 108 extensions in this campaign likely used common evasion techniques: appearing benign at first, introducing malicious behavior through later updates, or activating malicious payloads only under certain conditions that reviewers would not trigger. Google has been improving its automated detection, but determined attackers adapt.

Can an extension steal data even if I am not using it?

Yes, if the extension is installed and has broad permissions, it can run in the background without you actively interacting with it. This is why extensions with "read and change all data on all websites" are particularly concerning — they can potentially intercept any page you load. Extensions with minimal permissions and no background scripts cannot do this.

Does uninstalling the malicious extension fix the problem?

Uninstalling stops future data collection, but it does not undo what was already stolen. If you had any of the 108 extensions installed, assume your Google OAuth tokens and any credentials entered in Chrome may be compromised. Revoke OAuth access, change passwords, and check for unauthorized account activity.

Is Convert: Web to PDF safe?

Convert: Web to PDF has a minimal permission profile, processes all conversions locally using Chrome's DevTools Protocol, and transmits no page content to external servers. It has no background data collection capability. Its architecture is fundamentally different from the data-theft extensions in this campaign.

Should I use Chrome at all given these security incidents?

Chrome remains a well-maintained, regularly patched browser. The issue is not Chrome itself but the open nature of the extension ecosystem. Being selective about which extensions you install, reviewing permissions carefully, and preferring locally-processed tools are sufficient precautions for most users.

How many extensions is too many?

There is no magic number, but security researchers generally recommend keeping your extension count low — ideally under 10 actively used extensions. More extensions means more potential attack surface. If you have not used an extension in a month, remove it.

What should I do right now?

1. Go to chrome://extensions and audit what you have installed
2. Remove any extensions you do not recognize or no longer use
3. Check permissions on remaining extensions — revoke "all websites" access where possible
4. Review your Google account for third-party app connections
5. If you recognize any extension from the 108 list, revoke OAuth access and change your Google password immediately

Bottom line

The 108 malicious Chrome extensions campaign is a stark reminder that extension security requires active attention. Not all extensions are equal: those that process data locally, request minimal permissions, and avoid external server communication are structurally safer than those that transmit data off-device. Convert: Web to PDF is built on this local-first architecture — your documents never leave your machine, and the extension only activates when you explicitly click it. In a threat environment where 108 extensions were stealing credentials in plain sight, architecture is not a technical footnote — it is the whole point.