- Stripe OLT discovered that ModHeader v7.0.18 carried a hidden spyware SDK, which leaked daily visited domains to a Chinese-owned server and acted as adware.
- The extension had 1.6 million downloads on Chrome and Edge before being removed, but installed endpoints remain at risk
- Researchers urge defenders to identify and remove existing installations, as removing stores does not automatically fix compromised devices.
ModHeader, a trusted Chrome and Edge browser extension with over 1.6 million downloads, was found to be malicious and apparently sending sensitive data to a Chinese-owned server, and has since been removed from both repositories.
Security researchers Stripe OLT revealed the news in a new report, describing how a ModHeader v7.0.18 version carried a hidden spyware SDK.
According to Stripe OLT, the spyware collects the domains that users visit, encrypts the data with AES-GCP, and then sends it, once a day, to a remote server. The collector was found dead by default, but the required code, encryption key, and loader were already built into the extension.
Links to Chinese actors
The researchers found no command and control functionality, meaning the server only receives the stolen data and cannot communicate. The extension also functioned as adware, displaying ads and opening advertising tabs in updates, even on corporate-managed devices.
Investigators attributed the attack, albeit with little confidence, to a Chinese-speaking threat actor. The exfiltration domain was said to route emails through Lark, which is a common suite with Chinese-speaking teams. They also found Chinese strings in the code and said the listing includes a simplified Chinese locale.
ModHeader is a Chrome and Edge browser extension that allows users to modify HTTP request and response headers sent between their browser and websites. Developers and security researchers use it to test APIs, troubleshoot applications, and simulate different environments. It has around 900,000 users on Chrome and another 700,000 on Edge.
According Hacker NewsMicrosoft removed the tool from its repository on June 3, 2026, followed by Google a week later on July 10.
“Following our disclosure, Google removed the extension from the Chrome Web Store,” Stripe OLT concluded. “We welcome this action, but removing the store does not automatically fix endpoints where the extension was already installed, so defenders must continue to identify and remove existing installations.”

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




