CyberSecurityBoardThreat Intel · CVEs · Products
Cyber News

Google and Microsoft Pull ModHeader Extension With 1.6 Million Installs After Dormant Data Collector Found

July 13, 2026

Google and Microsoft have removed the ModHeader browser extension from their respective web stores after security researchers discovered a dormant browsing-history collector embedded in the official builds. The extension, which had approximately 1.6 million combined installs on Chrome and Edge, contained code capable of encrypting and exfiltrating browsing data to a remote server, though an empty allow-list kept the collector inactive.

Analysis by UK security firm Stripe OLT confirmed the collector was part of the genuine, store-signed extension, not a counterfeit. The collector was designed to build a device fingerprint, encrypt visited domains, store up to 1,000 distinct domains locally, and upload them daily to api.stanfordstudies[.]com. The upload was offset per install to avoid simultaneous beacons. The collector only activated if the browser matched an entry on an internal allow-list, which shipped empty, meaning no data was collected.

However, the extension was not entirely benign. On install, update, and uninstall, it pinged extensions-hub[.]com with metadata. Additionally, a script running on every page logged request metadata to local storage in plain text. The collector’s design frustrated automated scanners: data was encrypted, uploads were gated, malicious code was minified into legitimate code, and endpoints had no malicious reputation. The extension had been rated as high as 95 out of 100 by automated checkers.

Microsoft removed the Edge listing on July 3, 2026, and Google removed the Chrome version on July 10, 2026. The researchers found weak signals pointing toward a Chinese-speaking operator, including Simplified Chinese locale and a China-origin mail provider, but no group was named. ModHeader had previously drawn complaints for injecting ads into search results in 2023. The developer has not responded publicly.

Users are advised to remove ModHeader immediately, rotate any secrets (API keys, tokens, cookies) that may have been entered into the extension, and block the domains stanfordstudies[.]com and extensions-hub[.]com. Defenders should search logs for the extension ID and POST requests to api.stanfordstudies[.]com/app/log. Stripe OLT has published KQL hunting queries for Microsoft Defender and Sentinel.

Companies: Google, Microsoft, Stripe OLT

Products: ModHeader, Google Chrome, Microsoft Edge