ModHeader browser extension hidden browsing-history collector
Malware Activity
Summary
Hide ▲
Show ▼
The ModHeader browser extension shipped a hidden browsing-history collector in its official store version, exposing about 1.6 million installs to covert domain and header logging. The collector was dormant because its allow-list shipped empty, and no proof shows it actually exfiltrated browsing domains. The code still built a device fingerprint, encrypted visited domains, and prepared daily uploads to api.stanfordstudies[.]com. Google and Microsoft removed the listings from Chrome Web Store and Edge on July 10 and July 3.
Related Happenings
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Chrome extension PUP distribution network with fake organic traffic
Malware Activity
H score18
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Chrome extension PUP distribution network with fake organic traffic
Malware ActivityAbout this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Browser-layer visibility guidance for browser-native threats
Defensive Guidance
H score22
First: 05.06.2026 17:00
Last: 05.06.2026 17:00
Sources 1
About this happening:
**Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...
Browser-layer visibility guidance for browser-native threats
Defensive GuidanceAbout this happening: **Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...
Timeline
-
13.07.2026 20:17 1 articles · 6h ago
Microsoft removes ModHeader from the Edge store
Industry Or Public Sector UpdateMicrosoft pulled the ModHeader Edge listing after researchers identified a hidden browsing-history collector inside the signed extension build. The extension was still advertised as a header editor, but the review found dormant collection logic gated by an empty internal allow-list and prepared to handle encrypted page-domain logs if enabled.
Show sources
- Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found — thehackernews.com — 13.07.2026 20:17
-
13.07.2026 20:17 1 articles · 6h ago
Google removes ModHeader from the Chrome Web Store
Industry Or Public Sector UpdateGoogle removed ModHeader from the Chrome Web Store after the same hidden collector was found in the extension's official store version. The code review indicated that the browsing-history collection path was dormant because the allow-list shipped empty, even though the signed build already contained the hardcoded key, endpoint, and storage logic.
Show sources
- Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found — thehackernews.com — 13.07.2026 20:17
-
13.07.2026 20:17 2 articles · 6h ago
Stripe OLT finds a dormant browsing-history collector in ModHeader
Initial DisclosureStripe OLT identified a hidden browsing-history collector inside ModHeader version 7.0.18, verified that the code shipped in the genuine signed extension, and found that an empty allow-list kept the collector from sending any browsing domains. The analysis also described device fingerprinting, encrypted local storage for up to 1000 distinct domains, and a daily upload path to api.stanfordstudies[.]com, while another script logged request metadata locally and the extension's official-store presence spanned about 1.6 million installs.
Show sources
- Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found — thehackernews.com — 13.07.2026 20:17
- Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found — thehackernews.com — 13.07.2026 20:17