385/69 Wednesday, July 15, 2026

Google and Microsoft have removed the ModHeader extension, which had more than 1.6 million combined installations on Chrome and Edge, from their official stores. The action came after cybersecurity firm Stripe OLT discovered hidden code designed to collect website browsing history data embedded in the official version of the extension. Although initial findings indicate that the data collection mechanism was disabled and there is no evidence that data had actually been exfiltrated, the risk directly affects trust in the extension and its large user base, who could have had their data collected if the mechanism were activated in the future.
Analysis of version 7.0.18 of the extension found that a secondary mechanism was hidden alongside its normal header management functionality. This hidden system generated a device fingerprint and encrypted the list of website domains visited by the user before storing the data locally. It then scheduled the encrypted data to be sent to an external server. However, the code did not execute because an internal allowlist was configured to remain inactive. Nevertheless, the maintainers could enable it at any time through a normal update without requesting additional permissions from users. In addition, the automated security review systems used by the stores assessed the extension as low risk because the data was encrypted and the collection mechanism had not been triggered, allowing the hidden code to evade initial detection.
To prevent and reduce risk, Chrome and Edge users should immediately uninstall the ModHeader extension from their systems. They should also check account sync settings to prevent the extension from being reinstalled automatically. If users previously handled sensitive information, such as API keys or session cookies, through this extension, they should consider rotating or resetting those credentials for security. For enterprise network administrators, access and activity logs related to the domains stanfordstudies[.]com and extensions-hub[.]com should be blocked and reviewed. Administrators should also monitor for abnormal data transmission to help prevent potential risks in a timely manner.
Source: https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html
