Close Menu
    What's Hot

    Trump Pressures ICE to Resume Traffic Stops After They Were Halted Over Fatal Shootings

    Opinion | The Supreme Court Is Drunk on Originalism

    In 1826, Simón Bolívar Called for Latin America to Resist Great Powers

    Facebook X (Twitter) Instagram
    Trending
    • Trump Pressures ICE to Resume Traffic Stops After They Were Halted Over Fatal Shootings
    • Opinion | The Supreme Court Is Drunk on Originalism
    • In 1826, Simón Bolívar Called for Latin America to Resist Great Powers
    • MSI Claw 8 EX AI+ Review: Great Power, Shocking Price
    • Goldman’s Former Top Lawyer Calls Epstein a ‘Masterful Liar’
    • Chipmaker CXMT seeks $10bn in largest China IPO since 2010
    • PayPal: A $53 Billion Deal May Still Misprice The Business (NASDAQ:PYPL)
    • ‘Sunshine Protection Act’ passes in the House as Congress revisits daylight saving time
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History

    adminBy adminFebruary 14, 2026No Comments7 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History

    Cybersecurity researchers have discovered a malicious Google Chrome extension that’s designed to steal data associated with Meta Business Suite and Facebook Business Manager.

    The extension, named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), is marketed as a way to scrape Meta Business Suite data, remove verification pop-ups, and generate two-factor authentication (2FA) codes. The extension has 33 users as of writing. It was first uploaded to the Chrome Web Store on March 1, 2025.

    However, the browser add-on also exfiltrates TOTP codes for Facebook and Meta Business accounts, Business Manager contact lists, and analytics data to infrastructure controlled by the threat actor, Socket said.

    “The extension requests broad access to meta.com and facebook.com and claims in its privacy policy that 2FA secrets and Business Manager data remain local,” security researcher Kirill Boychenko said.

    “In practice, the code transmits TOTP seeds and current one-time security codes, Meta Business ‘People’ CSV exports, and Business Manager analytics data to a backend at getauth[.]pro, with an option to forward the same payloads to a Telegram channel controlled by the threat actor.”

    By targeting users of Meta Business Suite and Facebook Business Manager, the threat actor behind the operation has leveraged the extension to conduct data collection and exfiltration without users’ knowledge or consent.

    While the extension does not have capabilities to steal password-related information, the attacker could obtain such information beforehand from other sources, such as infostealer logs or credential dumps, and then use the stolen codes to gain unauthorized access to victims’ accounts.

    Cybersecurity

    The full scope of the malicious add-on’s capabilities is listed below –

    • Steal TOTP seed (a unique, alphanumeric code that’s used to generate time-based one-time passwords) and 2FA code
    • Target Business Manager “People” view by navigating to facebook[.]com and meta[.]com and build a CSV file with names, email addresses, roles and permissions, and their status and access details.
    • Enumerate Business Manager-level entities and their linked assets and build a CSV file of Business Manager IDs and names, attached ad accounts, connected pages and assets, and billing and payment configuration details.

    Socket warned that despite the low number of installs, the extension gives the threat actor enough information to identify high-value targets and mount follow-on attacks.

    “CL Suite by @CLMasters shows how a narrow browser extension can repackage data scraping as a ‘tool’ for Meta Business Suite and Facebook Business Manager,” Boychenko said.

    “Its people extraction, Business Manager analytics, popup suppression, and in-browser 2FA generation are not neutral productivity features, they are purpose-built scrapers for high-value Meta surfaces that collect contact lists, access metadata, and 2FA material straight from authenticated pages.”

    Chrome Extensions Hijack VKontakte Accounts

    The disclosure comes as Koi Security found that about 500,000 VKontakte users have had their accounts silently hijacked through Chrome extensions masquerading as VK customization tools. The large-scale campaign has been codenamed VK Styles.

    The malware embedded in the extensions is designed to engage in active account manipulation by automatically subscribing users to the attacker’s VK groups, resetting account settings every 30 days to override user preferences, manipulating Cross-Site Request Forgery (CSRF) tokens to bypass VK’s security protections, and maintaining persistent control.

    The activity has been traced to a threat actor operating under the GitHub username 2vk, who has relied on VK’s own social network to distribute malicious payloads and build a follower base through forced subscriptions. The names of the extensions are listed below –

    • VK Styles – Themes for vk.com (ID: ceibjdigmfbbgcpkkdpmjokkokklodmc)
    • VK Music – audio saver (ID: mflibpdjoodmoppignjhciadahapkoch)
    • Music Downloader – VKsaver (ID: lgakkahjfibfgmacigibnhcgepajgfdb)
    • vksaver – music saver vk (ID: bndkfmmbidllaiccmpnbdonijmicaafn)
    • VKfeed – Download Music and Video from VK (ID: pcdgkgbadeggbnodegejccjffnoakcoh)

    One of the defining traits of the campaign is the use of a VK profile’s (“vk[.]com/m0nda”) HTML metadata tags as a dead drop resolver to conceal the next-stage payload URLs and, therefore, evade detection. The next-stage payload is hosted in a public repository named “-” that’s associated with 2vk. Present in the payload is obfuscated JavaScript that’s injected into every VK page the victim visits.

    The repository is still accessible as of writing, with the file, simply named “C,” receiving a total of 17 commits between June 2025 and January 2026, as the operator refined and added new functionality.

    “Each commit shows deliberate refinement,” security researcher Ariel Cohen said. “This isn’t sloppy malware – it’s a maintained software project with version control, testing, and iterative improvements.”

    VK Styles has primarily affected Russian-speaking users, who are VK’s main demographic, as well as users across Eastern Europe, Central Asia, and Russian diaspora communities globally. The campaign is assessed to be active since at least June 22, 2025, when the initial version of the payload was pushed to the “-” repository.

    Cybersecurity

    Fake AI Chrome Extensions Steal Credentials, Emails

    The findings also coincide with the discovery of another coordinated campaign dubbed AiFrame, where a cluster of 32 browser add-ons advertised as artificial intelligence (AI) assistants for summarization, chat, writing, and Gmail assistance are being used to siphon sensitive data. These extensions have been collectively installed by more than 260,000 users.

    “While these tools appear legitimate on the surface, they hide a dangerous architecture: instead of implementing core functionality locally, they embed remote, server-controlled interfaces inside extension-controlled surfaces and act as privileged proxies, granting remote infrastructure access to sensitive browser capabilities,” LayerX researcher Natalie Zargarov said. 

    The names of the malicious extensions are as follows –

    • AI Assistant (ID: nlhpidbjmmffhoogcennoiopekbiglbp)
    • Llama (ID: gcfianbpjcfkafpiadmheejkokcmdkjl)
    • Gemini AI Sidebar (ID: fppbiomdkfbhgjjdmojlogeceejinadg)
    • AI Sidebar (ID: djhjckkfgancelbmgcamjimgphaphjdl)
    • ChatGPT Sidebar (ID: llojfncgbabajmdglnkbhmiebiinohek)
    • AI Sidebar (ID: gghdfkafnhfpaooiolhncejnlgglhkhe)
    • Grok (ID: cgmmcoandmabammnhfnjcakdeejbfimn)
    • Asking Chat Gpt (ID: phiphcloddhmndjbdedgfbglhpkjcffh)
    • ChatGBT (ID: pgfibniplgcnccdnkhblpmmlfodijppg)
    • Chat Bot GPT (ID: nkgbfengofophpmonladgaldioelckbe)
    • Grok Chatbot (ID: gcdfailafdfjbailcdcbjmeginhncjkb)
    • Chat With Gemini (ID: ebmmjmakencgmgoijdfnbailknaaiffh)
    • XAI (ID: baonbjckakcpgliaafcodddkoednpjgf)
    • Google Gemini (ID: fdlagfnfaheppaigholhoojabfaapnhb)
    • Ask Gemini (ID: gnaekhndaddbimfllbgmecjijbbfpabc)
    • AI Letter Generator (ID: hgnjolbjpjmhepcbjgeeallnamkjnfgi)
    • AI Message Generator (ID: lodlcpnbppgipaimgbjgniokjcnpiiad)
    • AI Translator (ID: cmpmhhjahlioglkleiofbjodhhiejhei)
    • AI For Translation (ID: bilfflcophfehljhpnklmcelkoiffapb)
    • AI Cover Letter Generator (ID: cicjlpmjmimeoempffghfglndokjihhn)
    • AI Image Generator Chat GPT (ID: ckneindgfbjnbbiggcmnjeofelhflhaj)
    • Ai Wallpaper Generator (ID: dbclhjpifdfkofnmjfpheiondafpkoed)
    • Ai Picture Generator (ID: ecikmpoikkcelnakpgaeplcjoickgacj)
    • DeepSeek Download (ID: kepibgehhljlecgaeihhnmibnmikbnga)
    • AI Email Writer (ID: ckicoadchmmndbakbokhapncehanaeni)
    • Email Generator AI (ID: fnjinbdmidgjkpmlihcginjipjaoapol)
    • DeepSeek Chat (ID: gohgeedemmaohocbaccllpkabadoogpl)
    • ChatGPT Picture Generator (ID: flnecpdpbhdblkpnegekobahlijbmfok)
    • ChatGPT Translate (ID: acaeafediijmccnjlokgcdiojiljfpbe)
    • AI GPT (ID: kblengdlefjpjkekanpoidgoghdngdgl)
    • ChatGPT Translation (ID: idhknpoceajhnjokpnbicildeoligdgh)
    • Chat GPT for Gmail (ID: fpmkabpaklbhbhegegapfkenkmpipick)

    Once installed, these extensions render a full-screen iframe overlay pointing to a remote domain (“claude.tapnetic[.]pro”), allowing the attackers to remotely introduce new capabilities without requiring a Chrome Web Store update. When instructed by the iframe, the add-ons query the active browser tab and invoke a content script to extract readable article content using Mozilla’s Readability library.

    The malware also supports the capability to start speech recognition and exfiltrate the resulting transcript to the remote page. What’s more, a smaller set of the extensions contain functionality to specifically target Gmail by reading visible email content directly from the document object model (DOM) when a victim visits mail.google[.]com.

    “When Gmail-related features such as AI-assisted replies or summaries are invoked, the extracted email content is passed into the extension’s logic and transmitted to third-party backend infrastructure controlled by the extension operator,” LayerX said. “As a result, email message text and related contextual data may be sent off-device, outside of Gmail’s security boundary, to remote servers.”

    287 Chrome Extensions Exfiltrate Browsing History

    The developments show how web browser extensions are increasingly being abused by bad actors to harvest and exfiltrate sensitive data by passing them off as seemingly legitimate tools and utilities.

    A report published by Q Continuum last week found a huge collection of 287 Chrome extensions that exfiltrate browsing history to data brokers. These extensions have 37.4 million installations, representing roughly 1% of the global Chrome userbase.

    “It was shown in the past that Chrome extensions are used to exfiltrate user browser history that is then collected by data brokers such as Similarweb and Alexa,” the researcher said.

    Given the risks involved, users are recommended to adopt a minimalist approach by only installing necessary, well-reviewed tools from official stores. It’s also essential to periodically audit installed extensions for any signs of malicious behavior or excessive permission requests.

    Other ways that users and organizations can ensure greater security include using separate browser profiles for sensitive tasks and implementing extension allowlisting to block those that are malicious or non-compliant.

    Browsing business caught Chrome data emails extensions History malicious Stealing
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleBachelor and Bachelorette Parties As Vacations: The…
    Next Article Here are the 50 best Presidents Day deals we’ve found so far
    admin
    • Website

    Related Posts

    PayPal: A $53 Billion Deal May Still Misprice The Business (NASDAQ:PYPL)

    July 15, 2026

    Firefox, Chrome, Adobe, and VMware Updates Fix Multiple Critical Security Flaws

    July 15, 2026

    Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution

    July 15, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Trump Pressures ICE to Resume Traffic Stops After They Were Halted Over Fatal Shootings

    Opinion | The Supreme Court Is Drunk on Originalism

    In 1826, Simón Bolívar Called for Latin America to Resist Great Powers

    MSI Claw 8 EX AI+ Review: Great Power, Shocking Price

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by