- Stripe OLT discovered that ModHeader v7.0.18 contained a hidden spyware SDK, exfiltrating visited domains to a Chinese server on a daily basis and acting as adware.
- The extension saw 1.6 million downloads on Chrome and Edge before being removed, but installed endpoints remain at risk.
- Researchers urge defenders to identify and remove existing installations because removing stores does not automatically fix compromised devices.
ModHeader, a trusted Chrome and Edge browser extension with over 1.6 million downloads, was found to be malicious, apparently sending sensitive data to a Chinese-owned server, and has since been pulled from both repositories.
Security researchers Stripe OLT revealed the news in a new report, describing how a ModHeader v7.0.18 build contained a hidden spyware SDK.
According to Stripe OLT, the spyware collects the domains users visit, encrypts the data with AES-GCP, then sends it – once a day – to a remote server. The collector was deemed inactive by default, but the required code, encryption key, and download schedule were all already integrated into the extension.
Links to Chinese actors
Researchers found no command-and-control functionality, meaning the server only receives the stolen data and cannot communicate back. The extension also functioned as adware, displaying advertisements and opening ad tabs on updates, including on company-managed devices.
Researchers attributed the attack, albeit with low confidence, to a Chinese-speaking threat actor. The exfiltration domain routes emails through Lark, which is a common suite for Chinese-speaking teams, it was reported. They also found Chinese strings in the code and said the list contained Simplified Chinese locales.
ModHeader is a Chrome and Edge browser extension that allows users to modify HTTP request and response headers sent between their browser and websites. Developers and security researchers use it to test APIs, troubleshoot applications, and simulate different environments. It has around 900,000 users on Chrome and another 700,000 on Edge.
According to Hacker newsMicrosoft removed the tool from its repository on June 3, 2026, followed by Google a week later on July 10.
“Following our disclosure, Google removed the extension from the Chrome Web Store,” Stripe OLT concluded. “We welcome this action, but removing the store does not automatically fix endpoints that had the extension already installed, so defenders should continue to identify and remove existing installations.”

Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.






























