🟠 High | Source: The Hacker News
Google and Microsoft have removed the ModHeader browser extension — which had 1.6 million installs across Chrome and Edge — after researchers discovered a hidden browsing-history collection mechanism embedded in the official store release. The collector was dormant, controlled by an empty allow-list that prevented it from activating, and there is currently no evidence that any user data was ever harvested or transmitted. Despite the lack of confirmed exploitation, the presence of undisclosed data-collection code in a widely trusted developer tool raises significant supply-chain and insider-threat concerns.
Security Architect’s Take: Audit your organisation’s approved browser extension inventory and remove or block ModHeader immediately via endpoint management or browser policy. More broadly, enforce a vetted allow-list of permitted extensions across managed devices, and consider periodic automated scans of installed extensions against known-bad or recently pulled packages — dormant payloads like this can be activated remotely at any time.
Original advisory: Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found