Cybersecurity researchers have identified several malicious Google Chrome extensions that secretly collect sensitive user information, including Meta Business data, email content, and browsing history. The discoveries highlight the growing misuse of browser add ons that appear legitimate but operate as data harvesting tools. Researchers warn that these extensions often present themselves as productivity utilities or artificial intelligence assistants while quietly transmitting valuable information to attacker controlled infrastructure.
One of the extensions discovered by security researchers is called CL Suite by @CLMasters, listed in the Chrome Web Store with the ID jkphinfhmfkckkcnifhjiplhfoiefffl. The extension is marketed as a tool designed to help users scrape data from Meta Business Suite and remove verification prompts while generating two factor authentication codes. The extension has recorded 33 users and was first uploaded to the Chrome Web Store on March 1, 2025. However, security analysis by Socket revealed that the add on secretly exfiltrates time based one time password seeds, active 2FA codes for Facebook and Meta accounts, Business Manager contact lists, and analytics data. According to researcher Kirill Boychenko, the extension claims in its privacy policy that all sensitive data remains stored locally. Investigation of its code shows that the extension transmits this information to a backend server hosted at getauth.pro and can also forward collected payloads to a Telegram channel controlled by the attacker. The extension also gathers detailed Business Manager information including names, email addresses, roles, access permissions, and linked business assets such as ad accounts, connected pages, and billing details. Although the extension does not directly capture passwords, researchers warn that attackers could combine the stolen authentication codes with previously leaked credentials obtained from infostealer logs or credential dumps to gain unauthorized access to targeted business accounts.
In a separate campaign, security firm Koi Security found that around 500,000 users of Russian social network VKontakte had their accounts quietly hijacked through malicious Chrome extensions disguised as customization tools. The campaign, named VK Styles, distributes extensions such as VK Styles Themes for vk.com, VK Music audio saver, Music Downloader VKsaver, vksaver music saver vk, and VKfeed Download Music and Video from VK. Once installed, the malware automatically subscribes victims to attacker controlled VK groups, modifies account settings every 30 days to maintain control, and manipulates cross site request forgery tokens to bypass platform security protections. Researchers traced the campaign to a threat actor operating under the GitHub username 2vk. The attacker used a VK profile page as a dead drop resolver by hiding payload locations inside HTML metadata tags, allowing the next stage malware to remain concealed. The payload itself is stored in a public GitHub repository named “-”, where a file titled C received 17 commits between June 2025 and January 2026, indicating continuous development and testing.
Another investigation uncovered a coordinated campaign named AiFrame involving 32 Chrome extensions marketed as artificial intelligence assistants. These tools advertise features such as text summarization, email writing, chat assistance, and translation. Despite appearing legitimate, researchers at LayerX found that the extensions rely on remote server controlled interfaces embedded inside extension pages. This design allows attackers to push new functionality without updating the extension through the Chrome Web Store. Once installed, the extensions display a full screen iframe overlay that connects to a remote domain called claude.tapnetic.pro. From there, attackers can command the extension to scan active browser tabs and extract article content using Mozilla’s Readability library. The malware also supports speech recognition and can transmit captured transcripts to remote servers. Some of the extensions specifically target Gmail by reading visible email content directly from the page when users open mail.google.com. When users activate AI features such as reply generation or summaries, the extracted email text and contextual data are transmitted to attacker controlled infrastructure.
The findings follow another report from Q Continuum which identified 287 Chrome extensions that collect and transmit browsing history data to external data brokers. These extensions collectively recorded approximately 37.4 million installations, representing about one percent of Chrome’s global user base. Researchers noted that browser extensions have previously been used to harvest browsing activity that is later aggregated by analytics and marketing platforms including Similarweb and Alexa. Security experts advise users to adopt a minimalist approach when installing browser extensions, limiting installations to well reviewed tools from trusted developers. Regular audits of installed extensions, careful review of permission requests, and using separate browser profiles for sensitive tasks can significantly reduce the risk of unauthorized data collection and exposure.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
