- Stripe OLT found that ModHeader v7.0.18 carried a hidden spyware SDK that daily exfiltrated visited domains to a Chinese-owned server and acted as adware
- The extension had 1.6 million downloads across Chrome and Edge before it was pulled, but installed endpoints are still at risk
- Researchers encourage defenders to identify and remove existing installations, as removal from stores does not automatically remediate compromised devices
ModHeader, a trusted Chrome and Edge browser extension with more than 1.6 million downloads, was found to be malicious, apparently sending sensitive data to a Chinese-owned server, and has since been pulled on both repositories.
Security researchers Stripe OLT revealed the news in a new report detailing how a ModHeader build v7.0.18 carried a hidden spyware SDK.
According to Stripe OLT, the spyware collects domains users visit, encrypts the data with AES-GCP and then sends it – once a day – to a remote server. The collector was found to be inactive by default, but the required code, encryption key, and upload plan were all already embedded in the extension.
Links to Chinese actors
Researchers found no command-and-control functionality, meaning the server only receives the stolen data and cannot communicate back. The extension also acted as adware, displaying ads and opening promotional tabs on updates, including on company-managed devices.
The researchers attributed the attack, albeit with low confidence, to a Chinese-speaking threat actor. The exfiltration domain routes emails through Lark, which is a suite common to Chinese-speaking teams, it said. They also found Chinese strings in the code and said the listing provides a simplified Chinese locale.
ModHeader is a Chrome and Edge browser extension that allows users to modify HTTP request and response headers sent between their browser and websites. Developers and security researchers use it to test APIs, debug applications, and simulate different environments. It has about 900,000 users on Chrome and another 700,000 on Edge.
According to Hacker NewsMicrosoft pulled the tool from its repository on June 3, 2026, followed by Google a week later on July 10.
“Following our publication, Google has removed the extension from the Chrome Web Store,” Stripe OLT concluded. “We welcome this action, but removal from the store does not automatically remediate endpoints where the extension was already installed, so defenders should continue to identify and remove existing installations.”

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



