CL Suite Chrome extension stealing Meta Business data
Malware Activity
Summary
Hide ▲
Show ▼
The CL Suite Chrome extension is exfiltrating TOTP seeds, current 2FA codes, and Meta Business data from Meta Business Suite and Facebook Business Manager users, creating a path to follow-on account access. It was first uploaded to the Chrome Web Store on March 1, 2025 and had 33 users as of writing. The extension requests broad access to meta.com and facebook.com and sends stolen payloads to getauth[.]pro. It can also forward the same data to a Telegram channel controlled by the operator.
Related Happenings
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Chrome extension PUP distribution network with fake organic traffic
Malware Activity
H score18
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Chrome extension PUP distribution network with fake organic traffic
Malware ActivityAbout this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
H score38
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
H score11
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps
Technical Analysis
H score25
First: 11.03.2026 18:38
Last: 11.03.2026 18:38
Sources 1
About this happening:
**Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...
Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps
Technical AnalysisAbout this happening: **Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...
Timeline
-
13.02.2026 13:25 1 articles · 4mo ago
CL Suite first uploaded to Chrome Web Store
Untyped PhaseCL Suite by @CLMasters is first uploaded to the Chrome Web Store as a Google Chrome extension with ID jkphinfhmfkckkcnifhjiplhfoiefffl, establishing the add-on's distribution point before its later use against Meta Business Suite and Facebook Business Manager users.
Show sources
- Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History — thehackernews.com — 13.02.2026 13:25
-
13.02.2026 13:25 2 articles · 4mo ago
CL Suite disclosed stealing Meta Business data
Initial DisclosureResearchers disclose that CL Suite by @CLMasters targets Meta Business Suite and Facebook Business Manager users, requests broad access to meta.com and facebook.com, and exfiltrates TOTP seeds, current one-time security codes, Meta Business 'People' CSV exports, and Business Manager analytics data to getauth[.]pro, with optional forwarding to a Telegram channel controlled by the operator; Socket also warns that the low install count still gives the threat actor enough information to identify high-value targets and mount follow-on attacks.
Show sources
- Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History — thehackernews.com — 13.02.2026 13:25
- Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History — thehackernews.com — 13.02.2026 13:25