Cybersecurity researchers have discovered a malicious Google Chrome extension designed to steal data related to Meta Business Suite and Facebook Business Manager.
The extension, named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoieffl), is marketed as a way to collect Meta Business Suite data, remove verification pop-ups, and generate two-factor authentication (2FA) codes. This extension has 33 users at the time of writing. It was first uploaded to the Chrome Web Store on March 1, 2025.
But the browser add-on also leaks TOTP codes for Facebook and Meta Business accounts, Business Manager contact lists, and analytics data to infrastructure controlled by threat actors, Socket said.
“The extension requests broad access to meta.com and facebook.com, and its privacy policy claims that 2FA sensitive and business manager data remains local,” security researcher Kirill Boychenko said.
“Actually, the code sends the TOTP seed and current one-time security code, Meta Business “People” CSV export, and Business Manager analytics data to the getauth backend.[.]pro has the option to forward the same payload to a Telegram channel controlled by a threat actor. ”
By targeting Meta Business Suite and Facebook Business Manager users, the attackers behind this operation leveraged extensions to collect and exfiltrate data without users’ knowledge or consent.
Although this extension does not have the ability to steal password-related information, an attacker may obtain such information in advance from other sources such as information theft logs or credential dumps and use the stolen code to gain unauthorized access to the victim’s account.
The full scope of the malicious add-on’s functionality is listed below.
Steal TOTP seeds (unique alphanumeric codes used to generate time-based one-time passwords) and 2FA codes Go to Facebook and target Business Manager’s “People” view[.]com and meta[.]com and create a CSV file containing names, email addresses, roles and permissions, and their status and access details. Enumerate Business Manager level entities and their linked assets and create a CSV file with Business Manager IDs and names, attached ad accounts, connected pages and assets, and billing and payments configuration details.
Socket warned that despite the low number of installations, the extension provides threat actors with enough information to identify high-value targets and launch subsequent attacks.
“CL Suite by @CLMasters shows how narrow browser extensions can repackage data scraping as a ‘tool’ for Meta Business Suite and Facebook Business Manager,” Boichenko said.
“Its people extraction, business manager analytics, pop-up suppression, and in-browser 2FA generation are not neutral productivity features. They are high-value meta-surface-only scrapers that collect contact lists, access metadata, and collect 2FA material directly from authenticated pages.”
Hijacking of VKontakte account via Chrome extension
The disclosure comes after Koi Security discovered that approximately 500,000 VKontakte users had their accounts silently compromised through a Chrome extension disguised as a VK customization tool. This large-scale campaign is codenamed “VK Styles.”
The malware embedded in the extension is designed to perform active account operations by automatically enrolling users in the attacker’s VK group, overwriting the user’s settings by resetting account settings every 30 days, and manipulating cross-site request forgery (CSRF) tokens to bypass VK security protections and maintain persistent control.
This activity has been identified as being the work of an attacker operating under the GitHub username 2vk. The attackers leveraged VK’s own social networks to distribute malicious payloads and build a follower base through forced subscriptions. Extension names are listed below –
VK Style – Theme from vk.com (ID: ceibjdigmfbbgcpkkdpmjokkokklodmc) VK Music – Audio Saver (ID: mflibpdjoodmoppignjhciadahapkoch) Music Downloader – VKsaver (ID: lgakkahjfibFMacigibnhcgepajgfdb) vksaver – Music Saver vk (ID: bndkfmmbidllaiccmpnbdonijmicaafn) VKfeed – Download music and videos from VK (ID: pcdgkgbadeggbnodegejccjffnoakcoh)
One of the features of this campaign is the use of VK profiles (“vk”).[.]com/m0nda”) HTML metadata tag as a dead drop resolver to hide the next stage payload URL and avoid detection. The next stage payload is hosted in a public repository named ‘-‘ associated with 2vk. The payload contains obfuscated JavaScript that is injected into every VK page visited by the victim.
The repository is still accessible at the time of writing, and the file, simply named “C,” received a total of 17 commits between June 2025 and January 2026, as operators improved it and added new features.
“Each commit is a deliberate improvement,” security researcher Ariel Cohen said. “This is not some sloppy malware. It’s a software project maintained with version control, testing, and iterative improvement.”
VK Styles primarily affects Russian-speaking users, VK’s primary demographic, as well as users in Eastern Europe, Central Asia, and Russian diaspora communities around the world. This campaign is rated as active since at least June 22, 2025, when an initial version of the payload was pushed to the ‘-‘ repository.
Fake AI Chrome extension steals credentials and emails
This finding is consistent with the findings of another coordinated campaign called AiFrame. In this campaign, a cluster of 32 browser add-ons advertised as artificial intelligence (AI) assistants that can summarize, chat, write, and assist with Gmail are used to siphon sensitive data. These extensions have been collectively installed by over 260,000 users.
“These tools look legitimate on the surface, but they hide a dangerous architecture. Instead of implementing core functionality locally, they embed remote server control interfaces within the extension-controlled surface, acting as privileged proxies and granting remote infrastructure access to sensitive browser functionality,” said LayerX researcher Natalie Zargarov.
The names of the malicious extensions are:
AI Assistant (ID: nlhpidbjmmffhoogcennoiopekbiglbp) Llama (ID: gcfianbpjcfkafpiadmheejkokcmdkjl) Gemini AI Sidebar (ID: fppbiomdkfbhgjjdmojlogeceejinadg) AI Sidebar (ID: djhjckkfgancelbmgcamjimgphaphjdl) ChatGPT Sidebar (ID: llojfncgbabajmdglnkbhmiebiinohek) AI Sidebar (ID: gghdfkafnhfpaooiolhncejnlgglhkhe) Grok (ID: cgmmcoandmabammnhfnjcakdeejbfimn) Asking Chat Gpt (ID: phiphcloddhmndjbdedgfbglhpkjcffh) ChatGBT (ID: pgfibniplgcnccdnkhblpmmlfodijppg) Chatbot GPT (ID: nkgbfengofophpmonladgaldioelckbe) Grok Chatbot (ID: gcdfailafdfjbailcdcbjmeginhncjkb) Chat with Gemini (ID: ebmmjmakencgmgoijdfnbailknaaiffh) XAI (ID: baonbjckakcpgliaafcodddkoednpjgf) Google Gemini (ID: fdlagfnfaheppaigholhoojabfaapnhb) Ask Gemini (ID: gnaekhndaddbimfllbgmecjijbbfpabc) AI Letter Generator (ID: hgnjolbjpjmhepcbjgeeallnamkjnfgi) AI Message Generator (ID: lodlcpnbppgipaimgbjgniokjcnpiiad) AI Translator (ID: cmpmhhjahlioglkleiofbjodhhiejhei) AI for Translation (ID: bilfflcophfehljhpnklmcelkoiffapb) AI Cover Letter Generator (ID: cicjlpmjmimeoempffghfglndokjihhn) AI Image Generator Chat GPT (ID: ckneindgfbjnbbiggcmnjeofelhflhaj) Ai Wallpaper Generator (ID: dbclhjpifdfkofnmjfpheiondafpkoed) Ai Picture Generator (ID: ecikmpoikkcelnakpgaeplcjoickgacj) DeepSeek Download (ID: kepibgehhljlecgaeihhnmibnmikbnga) AI Email Writer (ID: ckicoadchmmndbakbokhapncehanaeni) Email Generator AI (ID: fnjinbdmidgjkpmlihcginjipjaoapol) DeepSeek Chat (ID: gohgeedemmaohocbaccllpkabadoogpl) ChatGPT Image Generator (ID: flnecpdpbhdblkpnegekobahlijbmfok) ChatGPT Translator (ID: acaeafediijmccnjlokgcdiojiljfpbe) AI GPT (ID: kblengdlefjpjkekanpoidgoghdngdgl) Chat GPT Translation (ID: idhknpoceajhnjokpnbicildeoligdgh) Chat GPT for Gmail (ID: fpmkabpaklbhbhegegapfkenkmpipick)
After installing these extensions, you will see a full-screen iframe overlay pointing to the remote domain (‘claude.tapnetic’).[.]pro”) allows an attacker to remotely introduce new features without requiring a Chrome Web Store update. When instructed to do so by an iframe, the add-on queries the active browser tab and calls a content script to extract readable article content using Mozilla’s Readability library.
The malware also supports the ability to initiate speech recognition and leak the resulting transcript to a remote page. In addition, a small set of extensions includes the ability to specifically target Gmail by reading the content of the displayed email directly from the Document Object Model (DOM) when the victim visits mail.google.[.]Com.
“When a Gmail-related feature such as AI-assisted reply or summary is invoked, the extracted email content is passed to the extension’s logic and sent to a third-party backend infrastructure controlled by the extension operator,” LayerX said. “As a result, email message text and associated contextual data could be sent off-device to remote servers outside Gmail’s security perimeter.”
287 Chrome extension leaks browsing history
This development shows that web browser extensions are increasingly being exploited by malicious actors to collect and steal sensitive data under the guise of legitimate tools and utilities.
A report released last week by Q Continuum uncovered a massive collection of 287 Chrome extensions that leak your browsing history to data brokers. These extensions have been installed 37.4 million times, representing approximately 1% of the global Chrome user base.
“Chrome extensions have been shown in the past to be used to steal users’ browser history, which is then collected by data brokers such as Similarweb and Alexa,” the researchers said.
Considering the risks, users are advised to take a minimalist approach by installing only necessary and well-reviewed tools from official stores. It’s also important to regularly audit installed extensions for signs of malicious behavior or excessive permission requests.
Other ways users and organizations can increase security include using separate browser profiles for sensitive tasks and implementing an extension whitelist to block malicious or non-compliant tasks.
Source link
