A browser extension used by developers to test APIs was quietly shipping user browsing data to a remote server.
Security researchers at Stripe OLT found that ModHeader version 7.0.18, a tool with 900,000 Chrome users and 700,000 Edge users, contained a hidden spyware SDK. The SDK collected the domains users visited, encrypted them using what the report calls "AES-GCP" (most likely a misprint for the standard AES-GCM authenticated encryption mode — the source does not clarify), and uploaded that data once a day to a Chinese-owned server. The collector was dormant by default, but all the code, encryption keys, and upload schedules were already embedded and ready. Researchers attributed the campaign with low confidence to a Chinese-speaking threat actor, citing the exfiltration domain's routing through Lark, Chinese strings in the code, and a Simplified Chinese locale bundled with the package.
ModHeader is built for developers and security researchers, the same people responsible for defending other systems, which makes their browsing patterns an unusually attractive target. The extension also doubled as adware, opening advertising tabs on updates, including on enterprise-managed devices.
Microsoft delisted the extension on June 3; Google followed on July 10. Stripe OLT notes that store removal doesn't clean the extension off devices where it's already installed: 1.6 million endpoints remain at risk unless someone actively removes it.