- Stripe OLT found ModHeader v7.0.18 carried a hidden spyware SDK, exfiltrating visited domains daily to a Chinese‑owned server and acting as adware
- The extension had 1.6M downloads across Chrome and Edge before being pulled but installed endpoints remain at risk
- Researchers urge defenders to identify and remove existing installations, as removal from stores does not automatically remediate compromised devices
ModHeader, a trusted Chrome and Edge browser extension with more than 1.6 million downloads, was found to be malicious, apparently sending sensitive data to a Chinese-owned server, and has since been pulled on both repositories.
Security researchers Stripe OLT revealed the news in a new report, outlining how a ModHeader build v7.0.18 carried a hidden spyware SDK.
As per Stripe OLT, the spyware collects domains users visit, encrypts the data with AES-GCP, and then sends it – once a day – to a remote server. The collector was found inactive by default, but the required code, encryption key, and upload schedule were all already embedded in the extension.
Links to Chinese actors
Researchers found no command-and-control functionality, which means the server only receives the stolen data and cannot communicate back. The extension also worked as an adware, displaying ads and opening advertising tabs on updates, including on enterprise-managed devices.
The researchers attributed the attack, albeit with low confidence, to a Chinese-speaking threat actor. The exfiltration domain routes emails through Lark, which is a suite common with Chinese-speaking teams, it was said. They also found Chinese strings in the code, and said that the listing ships a Simplified Chinese locale.
ModHeader is a Chrome and Edge browser extension that allows users to modify HTTP request and response headers sent between their browser and websites. Developers and security researchers use it to test APIs, troubleshoot applications, and simulate different environments. It has around 900,000 users on Chrome, and another 700,000 on Edge.
According to The Hacker News, Microsoft pulled the tool from its repository on June 3 2026, followed by Google a week later, on July 10.
“Following our disclosure, Google has removed the extension from the Chrome Web Store,” Stripe OLT concluded. “We welcome this action, but removal from the store does not automatically remediate endpoints where the extension was already installed, so defenders should continue to identify and remove existing installations.”

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/97XMVxvuGbBvxfxdd8VJqH-2560-80.jpg
Source link




