Find notable cyber news and cases, enriched with sources, timelines, and signals.

ModHeader browser extension hidden browsing-history collector

Malware Activity
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The ModHeader browser extension shipped a hidden browsing-history collector in its official store version, exposing about 1.6 million installs to covert domain and header logging. The collector was dormant because its allow-list shipped empty, and no proof shows it actually exfiltrated browsing domains. The code still built a device fingerprint, encrypted visited domains, and prepared daily uploads to api.stanfordstudies[.]com. Google and Microsoft removed the listings from Chrome Web Store and Edge on July 10 and July 3.

Related Happenings

Search for perplexity ai malicious Chrome extension

Malware Activity
H score29 First: 29.06.2026 21:40 Last: 29.06.2026 21:40 Sources 1

About this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Chrome extension PUP distribution network with fake organic traffic

Malware Activity
H score18 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
H score20 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...

Browser-layer visibility guidance for browser-native threats

Defensive Guidance
H score22 First: 05.06.2026 17:00 Last: 05.06.2026 17:00 Sources 1

About this happening: **Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...

Timeline

  1. 13.07.2026 20:17 1 articles · 6h ago

    Microsoft removes ModHeader from the Edge store

    Industry Or Public Sector Update

    Microsoft pulled the ModHeader Edge listing after researchers identified a hidden browsing-history collector inside the signed extension build. The extension was still advertised as a header editor, but the review found dormant collection logic gated by an empty internal allow-list and prepared to handle encrypted page-domain logs if enabled.

    Show sources
  2. 13.07.2026 20:17 1 articles · 6h ago

    Google removes ModHeader from the Chrome Web Store

    Industry Or Public Sector Update

    Google removed ModHeader from the Chrome Web Store after the same hidden collector was found in the extension's official store version. The code review indicated that the browsing-history collection path was dormant because the allow-list shipped empty, even though the signed build already contained the hardcoded key, endpoint, and storage logic.

    Show sources
  3. 13.07.2026 20:17 2 articles · 6h ago

    Stripe OLT finds a dormant browsing-history collector in ModHeader

    Initial Disclosure

    Stripe OLT identified a hidden browsing-history collector inside ModHeader version 7.0.18, verified that the code shipped in the genuine signed extension, and found that an empty allow-list kept the collector from sending any browsing domains. The analysis also described device fingerprinting, encrypted local storage for up to 1000 distinct domains, and a daily upload path to api.stanfordstudies[.]com, while another script logged request metadata locally and the extension's official-store presence spanned about 1.6 million installs.

    Show sources