[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-modheader-pulled-from-chrome-and-edge-after-hidden-spyware-found":10,"sections":44},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":34,"tags":35,"sources":39,"feedback":43,"feedback_at":22,"cost_usd":43,"total_tokens":43},4699,"modheader-pulled-from-chrome-and-edge-after-hidden-spyware-found","ModHeader Pulled from Chrome and Edge After Hidden Spyware Found","A hidden spyware SDK in ModHeader v7.0.18 silently collected visited domains and routed them to a Chinese-owned server for 1.6 million users.","A browser extension used by developers to test APIs was quietly shipping user browsing data to a remote server.\n\nSecurity researchers at Stripe OLT found that ModHeader version 7.0.18, a tool with 900,000 Chrome users and 700,000 Edge users, contained a hidden spyware SDK. The SDK collected the domains users visited, encrypted them using what the report calls \"AES-GCP\" (most likely a misprint for the standard AES-GCM authenticated encryption mode — the source does not clarify), and uploaded that data once a day to a Chinese-owned server. The collector was dormant by default, but all the code, encryption keys, and upload schedules were already embedded and ready. Researchers attributed the campaign with low confidence to a Chinese-speaking threat actor, citing the exfiltration domain's routing through Lark, Chinese strings in the code, and a Simplified Chinese locale bundled with the package.\n\nModHeader is built for developers and security researchers, the same people responsible for defending other systems, which makes their browsing patterns an unusually attractive target. The extension also doubled as adware, opening advertising tabs on updates, including on enterprise-managed devices.\n\nMicrosoft delisted the extension on June 3; Google followed on July 10. Stripe OLT notes that store removal doesn't clean the extension off devices where it's already installed: 1.6 million endpoints remain at risk unless someone actively removes it.","[\"security\",\"browser-extensions\",\"spyware\",\"developer-tools\"]","2026-07-14T17:05:00.000Z","2026-07-14T17:53:37.172Z","2026-07-14T17:53:39.972Z","published",null,[24,30],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"The article states the encryption algorithm is AES-GCM, but the source material says AES-GCP — this discrepancy must be resolved against an authoritative source before publication, not silently altered in the draft.","resolved",{"id":31,"reviewer":26,"round":32,"reason":33,"status":29},"editor-r2",2,"The article reproduces 'AES-GCP' verbatim from the source without resolving whether this is a typo for AES-GCM or the correct designation — [editor-r1] remains open and must be corrected or editorially noted before publication.","security",[34,36,37,38],"browser-extensions","spyware","developer-tools",[40],{"name":41,"url":42},"TechRadar","https:\u002F\u002Fwww.techradar.com\u002Fpro\u002Fsecurity\u002Fexperts-get-google-microsoft-to-pull-trusted-modheader-with-1-6-million-installs-after-finding-it-could-harvest-all-kinds-of-data",0,{"sections":45},[46,51,54,59,64,69,74,79,84,89,94,99,104,109],{"name":47,"slug":48,"count":49,"latest_published_at":50},"AI","ai",2599,"2026-07-17T04:00:00.000Z",{"name":52,"slug":34,"count":53,"latest_published_at":50},"Security",305,{"name":55,"slug":56,"count":57,"latest_published_at":58},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":60,"slug":61,"count":62,"latest_published_at":63},"Policy","policy",165,"2026-07-16T22:02:31.000Z",{"name":65,"slug":66,"count":67,"latest_published_at":68},"Hardware","hardware",126,"2026-07-16T20:09:48.000Z",{"name":70,"slug":71,"count":72,"latest_published_at":73},"Consumer Tech","consumer-tech",94,"2026-07-16T16:29:46.000Z",{"name":75,"slug":76,"count":77,"latest_published_at":78},"Software","software",71,"2026-07-16T15:33:28.000Z",{"name":80,"slug":81,"count":82,"latest_published_at":83},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":85,"slug":86,"count":87,"latest_published_at":88},"Dev Tools","dev-tools",60,"2026-07-16T16:59:13.000Z",{"name":90,"slug":91,"count":92,"latest_published_at":93},"Startups","startups",42,"2026-07-16T16:30:35.000Z",{"name":95,"slug":96,"count":97,"latest_published_at":98},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":100,"slug":101,"count":102,"latest_published_at":103},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":105,"slug":106,"count":107,"latest_published_at":108},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":110,"slug":111,"count":112,"latest_published_at":113},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]