152 'live wallpaper' Chrome extensions caught harvesting user data and faking Google search traffic

Socket's Threat Research Team uncovered a coordinated family of 152 new-tab 'live wallpaper' Chrome extensions, spread across 38 publisher accounts and three brands, that secretly logged user telemetry and laundered extension-generated visits into fake Google organic search traffic despite declaring they collected no data.

On 13 June 2026, Socket's Threat Research Team disclosed a coordinated family of 152 "live wallpaper" new-tab extensions on the Google Chrome Web Store that secretly logged user data and manufactured fake Google "organic search" traffic — all while their store listings explicitly promised they collected no data at all.

What happened

The extensions were built from a single shared codebase but distributed across 38 publisher accounts and three brands — tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com (which redirects to owhit[.]com) — to spread the campaign across many listings and blunt the impact of any single takedown. Using popular themes such as anime, games, football and car wallpapers to attract installs, the extensions together reported roughly 105,000 users.

Despite each Chrome Web Store listing declaring that no user data was collected, the extensions aggressively harvested telemetry in the background. The operator's own external privacy policy contradicted those listings, admitting to logging IP addresses, internet service provider (ISP) data, click counts and referrer data. Rather than injecting ads into arbitrary websites, the extensions redirected users to operator-controlled, programmatically monetised domains.

Why it matters

This adware-adjacent campaign abused new-tab extensions to launder extension-generated visits into what looked like legitimate Google organic search traffic, polluting analytics for advertisers and Google alike while quietly profiting from the redirected clicks. The gap between the "no data collected" store labels and the operator's actual privacy policy highlights how easily Chrome Web Store disclosures can be gamed — and how a single codebase, fanned out across dozens of publisher accounts, can quietly reach six figures of users before researchers connect the dots.

Related incidents

Supply chainOngoingJune 11, 2026

'Atomic Arch' supply-chain attack hijacks 400+ Arch Linux AUR packages to deploy a credential stealer and eBPF rootkit

Sonatype researchers uncovered 'Atomic Arch,' a supply-chain campaign in which attackers adopted hundreds of orphaned Arch User Repository packages and rewrote their build scripts to install a malicious npm package that drops a Linux credential stealer with optional eBPF rootkit capabilities.

Victim: Arch User Repository (AUR)

Vulnerability exploitOngoingJune 10, 2026

Max-severity Ivanti Sentry flaw exploited for root code execution (CVE-2026-10520)

Ivanti patched a maximum-severity unauthenticated command-injection flaw in its Sentry mobile gateway that gives attackers root-level remote code execution, and within days real-world exploitation followed a public proof-of-concept, prompting CISA to add it to its Known Exploited Vulnerabilities catalog.

Victim: Ivanti Sentry

Zero-dayOngoingJune 10, 2026

Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges (CVE-2026-47281)

Researchers disclosed a Microsoft Defender privilege-escalation zero-day dubbed RoguePlanet (CVE-2026-47281) that abuses a race condition to redirect a SYSTEM-level file operation and hand a local attacker full SYSTEM access on fully updated Windows machines.

Victim: Microsoft Defender

Zero-dayOngoingJune 10, 2026

Oracle PeopleSoft PeopleTools zero-day exploited by ShinyHunters (CVE-2026-35273)

Oracle issued an emergency out-of-band alert after the ShinyHunters crew exploited a critical unauthenticated remote-code-execution zero-day in PeopleSoft PeopleTools to steal data from more than 100 organisations, most of them universities.

Victim: Oracle PeopleSoft