Google Follows Microsoft to Remove ModHeader Extension from Store Following Reports of Covert Exfiltration Capability

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Extensions Pulled: Google removed the ModHeader browser extension after a dormant data collector was found hidden inside its official store build.
  • Install Base: ModHeader had roughly 1.6 million installs combined across Chrome and Edge before removal.
  • Store Removal: The extension was pulled from both the Chrome Web Store and the Microsoft Edge Add-ons store within about a week of each other.

Google and Microsoft have removed ModHeader, a widely used developer tool for editing HTTP headers, after security researchers discovered a dormant data-collection mechanism built directly into its genuine, signed store version. ModHeader had amassed approximately 1.6 million installs across the two browsers before its takedown.

Hidden Collector Found Inside the Official Build

The discovery came from Stripe OLT, a U.K.-based security firm, which verified the code against Google's own Web Store signature and confirmed the collector shipped inside the authentic extension rather than a counterfeit copy. 

The report was updated on July 13 with Google’s announcement that it pulled the Chrome listing on July 10, a week after Microsoft removed the Edge listing on July 3, 2026. 

The collector itself was inactive: an empty allow-list kept it switched off, and no evidence has surfaced that it ever gathered or transmitted browsing data. 

However, the underlying pipeline, including the endpoint, encryption key, scheduler, storage, and collection logic, was fully built and could have been activated through a routine extension update. A future “update” could have activated it without any new permissions or user interaction.

What the Extension Was Actually Doing

Separately, researchers found the extension was logging product, version identifier, and browser type, and pinging an external domain with product and version details each time it was installed, updated, or uninstalled. 

Because ModHeader is designed to give broad access to a browser's traffic for legitimate testing and debugging purposes, that same access made it a high-value target once trust in the codebase was compromised.

Some sources allege the extension uses a fake "Stanford Studies" front for the exfiltration domain, and weak signals point to a Chinese-speaking operator.

Marketplace Response and Ongoing Exposure

Removing ModHeader from both the Chrome Web Store and the Microsoft Edge Add-ons store prevents new installs but does not delete the extension from devices where it's already installed. 

Affected users are advised to manually check their Chrome and Edge extensions list and remove ModHeader if it remains active.

The report also notes that the infrastructure here, which debuted in 2024, shares several characteristics with the pattern Brian Krebs described in a 2021 report on popular browser extensions quietly bought” and repurposed into monetization and surveillance channels.

In late June, Microsoft removed 100+ StegoAd Edge extensions hiding malware via steganography.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: