216.73.217.86

ModHeader Malware: Inside the Chrome Spyware Google Removed

· Published 14/07/2026 10:04

Export JSON

Essential information

Published
14/07/2026 10:04
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
adware browser extension chrome web store domain harvesting modheader spyware supply chain attack
Related entities
2 indicators, 2 observables, 16 techniques (mitre), 1 malware

Description

ModHeader, a popular Chrome developer extension with over 800,000 users, was flagged and removed by Google for containing hidden . Version 7.0.18 included a covert SDK disguised as a date library (dayjs) that harvested visited domain names, encrypted them using AES-GCM, and was configured to upload the data daily to api.stanfordstudies.com. Although the collection remained dormant due to an empty allowlist, the complete exfiltration infrastructure was present and operational. Additionally, the extension displayed active behavior, opening affiliate tabs on every update including on enterprise-managed machines. The malicious code shipped with official signatures, affecting both Chrome and Edge users. Forensic analysis revealed the extension locally stored 178MB of sensitive HTTP headers from all browsing activity, though no data was successfully exfiltrated from analyzed systems.

External references