Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

ModHeader Malware: Inside the Chrome Spyware Google Removed

0
Medium
Published: 07/14/2026 (07/14/2026, 08:04:43 UTC)
Source: AlienVault OTX General

Description

ModHeader, a widely used Chrome developer extension, was removed from the Chrome Web Store after being found to contain hidden spyware and adware. Version 7.0.18 included a covert SDK disguised as a date library that harvested visited domain names, encrypted them, and was set to upload this data daily to a suspicious domain. Although the data collection was dormant due to an empty allowlist, the exfiltration infrastructure was fully present. The extension also exhibited adware behavior by opening affiliate tabs on updates, including on enterprise-managed devices. The malicious code was signed by the official Chrome Web Store, affecting both Chrome and Edge users. Forensic analysis showed the extension locally stored a large amount of sensitive HTTP headers, but no successful data exfiltration was observed in analyzed systems.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 10:18:36 UTC

Technical Analysis

ModHeader version 7.0.18 contained malicious code hidden within a legitimate Chrome extension. This code included a covert SDK masquerading as the 'dayjs' date library, which harvested visited domain names and encrypted them using AES-GCM. The data was configured to be exfiltrated daily to the domain api.stanfordstudies.com. Despite the presence of a fully operational exfiltration mechanism, data collection remained inactive due to an empty allowlist. Additionally, the extension engaged in adware activity by opening affiliate tabs on every update, impacting both regular and enterprise-managed machines. The extension was distributed via the official Chrome Web Store with valid signatures, affecting users of both Chrome and Edge browsers. Forensic investigations revealed local storage of 178MB of sensitive HTTP headers from browsing activity, though no evidence of successful data exfiltration was found on analyzed systems.

Potential Impact

The spyware component of ModHeader could have compromised user privacy by harvesting visited domain names and sensitive HTTP headers. The adware behavior caused unwanted affiliate tab openings, potentially disrupting user experience and generating fraudulent ad revenue. Although no confirmed data exfiltration occurred in analyzed cases, the presence of a fully functional exfiltration infrastructure indicates a significant risk of data leakage if activated. The malicious code's distribution through the official Chrome Web Store and valid signatures increased the risk of widespread exposure among Chrome and Edge users.

Mitigation Recommendations

Google has removed the malicious ModHeader extension from the Chrome Web Store, effectively preventing further installations. Users should uninstall any existing installations of ModHeader version 7.0.18 or later. Since the malicious code was distributed via the official store, users should verify extensions for authenticity and monitor for suspicious behavior. No official patch or update is available; remediation involves removal of the compromised extension. Enterprise administrators should audit managed devices for the presence of this extension and remove it to prevent adware and spyware activity.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://hackindex.io/research/modheader-malware-chrome-spyware"]
Adversary
null
Pulse Id
6a55ed9b6b71e59faf2f8ea7
Threat Score
null

Indicators of Compromise

Url

ValueDescriptionCopy
urlhttps://modheader.com/api/ad-settings

Domain

ValueDescriptionCopy
domainapi.stanfordstudies.com

Threat ID: 6a56093968715ace4346c86f

Added to database: 07/14/2026, 10:02:33 UTC

Last enriched: 07/14/2026, 10:18:36 UTC

Last updated: 07/15/2026, 03:35:17 UTC

Views: 25

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses