Browser extensions are once again under scrutiny after multiple investigations revealed coordinated campaigns abusing Google Chrome add ons to steal business intelligence, authentication codes, emails, and browsing history. Security researchers have identified several malicious extensions impersonating productivity tools, AI assistants, and social media customization plugins.
These threats specifically target platforms such as Meta Business Suite, Facebook Business Manager, Google Chrome, and Gmail, exposing both individuals and organizations to serious account takeover risks.
Malicious CL Suite Extension Steals Meta Business Data
Cybersecurity firm Socket identified a Chrome extension called CL Suite by @CLMasters that was promoted as a tool to scrape Meta Business Suite data and generate two factor authentication codes.
Despite marketing claims that sensitive data remains local, analysis showed the extension transmits:
- TOTP seeds used to generate time based one time passwords
- Active 2FA security codes
- Meta Business Manager contact lists
- Analytics data exports
- Business Manager access and billing information
The stolen data is sent to infrastructure controlled by the threat actor at getauth[.]pro, with optional forwarding to a Telegram channel operated by the attacker.
Technical Impact
By extracting TOTP seeds and current authentication codes, attackers can bypass two factor authentication if they already possess stolen credentials from infostealer logs or credential dumps.
Even though the extension does not directly steal passwords, combining previously leaked credentials with harvested 2FA data enables unauthorized access to high value business accounts.
Security researchers warn that even with only dozens of installs, such tools allow threat actors to identify high value targets for follow on attacks.
Chrome Extensions Hijack VKontakte Accounts
In a separate campaign discovered by Koi Security, approximately 500,000 users of VKontakte had their accounts silently compromised.
The campaign, codenamed VK Styles, distributed malicious Chrome extensions disguised as VK customization tools. Once installed, the malware:
- Automatically subscribed users to attacker controlled groups
- Reset account settings every 30 days
- Manipulated CSRF tokens to bypass protections
- Maintained persistent access
The operation is linked to a threat actor using the GitHub username 2vk. Instead of hosting obvious command and control infrastructure, the actor used VK profile metadata as a dead drop resolver to hide next stage payload URLs.
The malicious JavaScript payload, stored in a public repository, was actively maintained with 17 commits between June 2025 and January 2026, showing structured development and refinement.
Geographic Targeting
The campaign primarily impacted Russian speaking users across Eastern Europe, Central Asia, and diaspora communities. Evidence suggests the activity has been ongoing since at least June 2025.
Fake AI Chrome Extensions Steal Emails and Credentials
Another large scale campaign known as AiFrame involved 32 Chrome extensions posing as AI assistants for summarization, chat, translation, and Gmail support.
Security firm LayerX reported that these extensions collectively reached over 260,000 installations.
Impersonated services included references to:
- ChatGPT
- Gemini
- Grok
Instead of processing data locally, the extensions embedded remote server controlled iframes that allowed attackers to dynamically introduce new functionality without Chrome Web Store updates.
When activated, the extensions could:
- Extract readable article content using Mozilla Readability
- Capture speech recognition transcripts
- Access Gmail message content from the browser DOM
- Transmit email text and contextual data to remote infrastructure
This architecture effectively turned the extensions into privileged proxies, granting attackers direct access to sensitive browser data.
287 Chrome Extensions Exfiltrate Browsing History
A separate report by Q Continuum revealed 287 Chrome extensions that collect and transmit browsing history to data brokers. These add ons collectively accounted for 37.4 million installations, approximately 1 percent of the global Chrome user base.
Researchers noted that browser history data is often monetized by brokers such as Similarweb and Alexa.
The findings demonstrate how browser extensions remain a persistent attack vector for large scale data harvesting operations.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
