Trusted Browser Tool Becomes Vector for Hidden Data Exfiltration
A widely used extension for developers and testers was found harboring spyware that sent user traffic data to remote servers.
When a staple utility in a developer's toolkit is compromised, the erosion of trust hits particularly hard. The sudden removal of a widely utilized browser extension has left over 1.6 million users vulnerable to silent data exfiltration, highlighting the persistent dangers of supply chain attacks within the browser ecosystem.
Hidden Malicious Payloads Discovered
The security concerns center on ModHeader, a tool previously relied upon by professionals for modifying HTTP request and response headers. Researchers at Stripe OLT discovered that build v7.0.18 of the extension was embedded with a clandestine spyware SDK designed to monitor user activity without triggering standard alerts. This component, while inactive by default, contained all the necessary logic, encryption keys, and transmission schedules required to operate.
Tactics of the Exfiltration Campaign
The malicious code functioned by recording the domains visited by users, encrypting that information using AES-GCP, and pushing it to a server linked to Chinese actors once per day. Beyond the data harvesting, the extension also functioned as adware, forcing open advertising tabs during updates. Because the tool was often utilized on enterprise-managed systems, these security risks extended far beyond personal consumer accounts.
- 1.6 million total downloads across Chrome and Edge
- 900,000 users recorded on the Chrome platform
- 700,000 users recorded on the Edge platform
- June 3 2026: The date Microsoft pulled the extension
- July 10 2026: The date Google removed the extension
Urgent Call for Endpoint Remediation
While the major browser vendors have finally intervened, the threat remains active for anyone who has not manually purged the software from their machines. Store-level takedowns only prevent new infections; they do not proactively cleanse existing, compromised browser environments.
Following our disclosure, Google has removed the extension from the Chrome Web Store. We welcome this action, but removal from the store does not automatically remediate endpoints where the extension was already installed, so defenders should continue to identify and remove existing installations.
— Stripe OLT, Security Research Firm
Lingering Risks for Professional Workflows
For organizations, this incident serves as a stark reminder that even vetted, high-install-count utilities can act as conduits for sensitive data loss. Defenders must prioritize the visibility of installed extensions across their fleets and recognize that removal from official repositories is merely the first step in a larger remediation process. Failure to actively scan for and scrub legacy versions of these tools leaves an open door for unauthorized data exfiltration, regardless of the extension's former reputation as a trusted productivity aid.