ModHeader Extension Removed for Covert Data Collection

ModHeader Extension Removed for Covert Data Collection

First seen 14 Jul 2026, 14:06 UTC CybersecuritynewsTechnadustripeolt.comthehackernews.comhackindex.io+2 84% similarity 71.0

Article Content

Browse articles
ThreatCluster

The ModHeader browser extension, used by approximately 1.6 million users across Chrome and Edge, was removed after researchers discovered a dormant data-collection capability embedded in its signed release. The extension contained a hidden spyware SDK that could harvest and encrypt browsing data, although it was inactive due to an empty allow-list. Google and Microsoft took action to remove the extension from their stores following the findings, which were verified by a U.K.-based security firm. Users are advised to check and remove ModHeader from their devices as it remains installed unless manually deleted. The malicious infrastructure is linked to a domain masquerading as 'Stanford Studies,' with indications of a Chinese-speaking operator. The incident highlights vulnerabilities in trusted extensions and the potential for supply-chain attacks.

Key Points: • ModHeader extension, with 1.6 million installs, was removed for hidden data collection. • The spyware SDK was dormant but could be activated through future updates. • Users must manually remove ModHeader as it remains installed on their devices.

ThreatCluster AI

Timeline

2026-07-03
Microsoft removes ModHeader from Edge store
Microsoft took down the ModHeader extension after security reports of data collection capabilities were confirmed.
Technadu
2026-07-10
Google pulls ModHeader from Chrome Web Store
Following Microsoft's lead, Google removed ModHeader after verifying the presence of dormant data collection mechanisms.
Technadu
2026-07-13
Security report updated with findings
A U.K.-based security firm confirmed the data collection capabilities embedded in the ModHeader extension.
Technadu
2026-07-14
ModHeader analysis published
A detailed analysis of ModHeader's malware capabilities and its potential impact was published, revealing the spyware SDK.
hackindex.io

Community

Browse all →