Experts get Google, Microsoft to pull trusted ModHeader with 1.6 million installs after finding it could harvest all kinds of data
Stripe OLT found ModHeader v7.0.18 carried a hidden spyware SDK, exfiltrating visited domains daily to a Chinese‑owned server and acting as adware The extension had 1.6M downloads across Chrome and Edge before being pulled but installed endpoints remain at risk Researchers urge defenders to identify
<![CDATA[ <article> <ul><li><strong>Stripe OLT found ModHeader v7.0.18 carried a hidden spyware SDK, exfiltrating visited domains daily to a Chinese‑owned server and acting as adware</strong></li><li><strong>The extension had 1.6M downloads across Chrome and Edge before being pulled but installed endpoints remain at risk</strong></li><li><strong>Researchers urge defenders to identify and remove existing installations, as removal from stores does not automatically remediate compromised devices</strong></li></ul><p>ModHeader, a trusted Chrome and Edge browser extension with more than 1.6 million downloads, was found to be malicious, apparently sending sensitive data to a Chinese-owned server, and has since been pulled on both repositories. </p><p>Security researchers Stripe OLT revealed the news in a new <a href="https://stripeolt.com/knowledge-hub/threat-research/chrome-extension-hidden-data-exfiltration-900k-users/" target="_blank">report</a>, outlining how a ModHeader build v7.0.18 carried a hidden <a href="https://www.techradar.com/best/best-malware-removal" target="_blank">spyware</a> SDK. </p><p>As per Stripe OLT, the spyware collects domains users visit, encrypts the data with AES-GCP, and then sends it - once a day - to a remote server. The collector was found inactive by default, but the required code, encryption key, and upload schedule were all already embedded in the extension.</p><h2 id="links-to-chinese-actors">Links to Chinese actors</h2><p>Researchers found no command-and-control functionality, which means the server only receives the stolen data and cannot communicate back. The extension also worked as an adware, displaying ads and opening advertising tabs on updates, including on enterprise-managed devices.</p><p>The researchers attributed the attack, albeit with low confidence, to a Chinese-speaking threat actor. The exfiltration domain routes emails through Lark, which is a suite common with Chinese-speaking teams, it was said. They also found Chinese strings in the code, and said that the listing ships a Simplified Chinese locale. </p><p>ModHeader is a Chrome and Edge <a href="https://www.techradar.com/best/browser" target="_blank">browser</a> extension that allows users to modify HTTP request and response headers sent between their browser and websites. Developers and security researchers use it to test APIs, troubleshoot applications, and simulate different environments. It has around 900,000 users on Chrome, and another 700,000 on Edge. </p><p>According to <a href="https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html" target="_blank"><em>The Hacker News</em></a>, Microsoft pulled the tool from its repository on June 3 2026, followed by Google a week later, on July 10. </p><p>“Following our disclosure, Google has removed the extension from the Chrome Web Store,” Stripe OLT concluded. “We welcome this action, but removal from the store does not automatically remediate endpoints where the extension was already installed, so defenders should continue to identify and remove existing installations.”</p> </article> ]]>
Read the full article on TechRadar
Read Full Article →