Chrome Extensions Looting Private Business and Social Data

February 13, 2026

Internet users are facing a wave of sophisticated digital traps as cybersecurity experts uncover several malicious Google Chrome extensions designed to strip away private information. These digital tools, often disguised as helpful productivity assistants or social media enhancers, have been caught funneling everything from corporate financial data to personal login secrets into the hands of hackers. The discovery highlights a growing trend where attackers use the Chrome Web Store to distribute “sleeper” software that looks functional but operates as a high-tech vacuum for sensitive data.

The Corporate Data Trap

One of the most surgical strikes identified involves a tool specifically built to infiltrate the world of digital marketing. A browser add-on named CL Suite has been flagged for targeting professionals who manage high-value accounts on Meta’s platforms. While the developers marketed the extension as a “time-saver” for scraping data and managing two-factor authentication (2FA) codes, researchers found that the reality is much more sinister.

The software doesn’t just manage your security codes; it steals them. By gaining broad permissions to access Facebook and Meta domains, the extension intercepts “seeds”—the master keys used to generate temporary login codes—and sends them directly to a server controlled by the hackers. This allows an attacker to bypass security hurdles even if they don’t have the user’s password yet.

Furthermore, the extension systematically “scrapes” internal business information. It builds detailed spreadsheets containing the names, email addresses, and specific access levels of every employee within a company’s Business Manager account. For a business, this is a nightmare scenario: it provides a roadmap for hackers to see exactly who has the power to spend advertising money or change bank details, making it easy to launch targeted fraud campaigns.

Massive Breach Hits Social Media Users

While some hackers go for quality and corporate targets, others are going for sheer quantity. A massive operation codenamed VK Styles has successfully compromised roughly half a million users of the VKontakte (VK) social network. In this case, the attackers used the lure of “customization” to get their foot in the door. They offered extensions that promised to change the look of the website or allow users to download music and videos directly from the platform.

Once installed, these extensions act like a “ghost in the machine.” They hijack the user’s account to silently subscribe them to specific groups, inflating the attacker’s influence. More dangerously, the malware is designed to reset account settings every month to ensure the user can’t easily kick the hackers out. The developers behind this project have treated the malware like a legitimate business, frequently updating the code to bypass security patches and find new ways to stay hidden. This level of dedication shows that the attackers are playing a long game, maintaining persistent control over hundreds of thousands of accounts across Eastern Europe and Central Asia.

The False Promise of AI Assistants

The most recent and perhaps most deceptive trend involves the craze surrounding Artificial Intelligence. A coordinated campaign called AiFrame has deployed over 30 different extensions that claim to be AI-powered writing assistants or chat tools. Because people are eager to use AI to summarize emails or draft documents, more than 260,000 people fell into the trap.

Instead of actually processing your data through a local AI model, these extensions act as “proxies.” They open a door between your private browser and a remote server owned by the criminals. This gives the hackers a front-row seat to your Gmail inbox and other sensitive windows. By embedding a hidden interface inside the browser, the attackers can see exactly what you are typing and reading in real-time. This method is particularly effective because it allows the malicious software to appear “lightweight” and helpful while it quietly siphons off credentials and private correspondence.

These various campaigns prove that the greatest threat to your digital security might be the very tools you installed to make your life easier. Security experts urge users to audit their extensions immediately and remove any tool that asks for more “permission” than it reasonably needs to function.

Here are the specific names of the flagged extensions: