Infostealer Chrome Extensions

Security analysts have identified a rogue Google Chrome extension engineered to harvest sensitive data from Meta Business environments. The extension, CL Suite by @CLMasters, presents itself as a productivity tool for users of Meta Business Suite and Facebook Business Manager. Promoted as a utility for scraping business data, bypassing verification prompts, and generating two-factor authentication (2FA) codes, it was published on the Chrome Web Store on March 1, 2025.

Despite claims in its privacy policy that 2FA secrets and Business Manager data remain confined to the local environment, technical analysis reveals a different reality. The extension requests extensive permissions over meta.com and facebook.com domains and covertly transmits sensitive information to attacker-controlled infrastructure.

Covert Data Exfiltration Capabilities

The extension silently collects and exports high-value data from authenticated Meta sessions. Exfiltrated information is sent to a backend hosted at getauth[.]pro, with an optional mechanism to forward the same payloads to a Telegram channel operated by the threat actor.

The full scope of the extension's data-harvesting functionality includes:

• Theft of TOTP seeds and active 2FA codes used to secure Meta and Facebook Business accounts
• Extraction of Business Manager 'People' data, compiled into CSV files containing names, email addresses, assigned roles, permission levels, and access statuses
• Enumeration of Business Manager entities and linked assets, including ad accounts, associated pages, asset connections, billing configurations, and payment details

Although the add-on does not directly capture passwords, attackers could combine the stolen time-based one-time passwords with credentials sourced from infostealer logs or leaked databases to gain unauthorized account access.

Security researchers warn that even with a relatively small installation base, the intelligence gathered is sufficient to identify high-value corporate targets and facilitate follow-on attacks.

Scraping Disguised as Productivity

The case of CL Suite illustrates how narrowly scoped browser extensions can disguise aggressive data harvesting as legitimate workflow enhancements. Features such as contact extraction, analytics collection, verification pop-up suppression, and in-browser 2FA generation are not neutral utilities. Instead, they function as purpose-built scrapers engineered to siphon contact lists, metadata, and authentication material directly from authenticated Meta business interfaces.

By embedding themselves into trusted workflows, such extensions bypass user suspicion and operate within the security boundaries of active sessions.

The AiFrame Campaign: AI Assistants Turned Data Proxies

In a separate but coordinated campaign dubbed AiFrame, researchers uncovered 32 browser extensions marketed as AI-powered assistants for summarization, chat, writing support, and Gmail productivity. Collectively, these add-ons have accumulated more than 260,000 installations.

While appearing legitimate, the extensions rely on a remote, server-driven architecture. Instead of processing data locally, they embed full-screen iframe overlays that connect to the domain claude.tapnetic[.]pro. This design enables operators to dynamically introduce new capabilities without issuing updates through the Chrome Web Store.

Once deployed, these extensions act as privileged intermediaries between the browser and remote infrastructure. When triggered, they inspect the active tab and use Mozilla's Readability library to extract article content. Additional capabilities include initiating speech recognition and transmitting captured transcripts to external servers.

A subset of the extensions specifically targets Gmail. When users access mail.google.com and activate AI-driven reply or summarization features, visible email content is extracted directly from the document object model (DOM) and transmitted to third-party backend systems controlled by the operators. Consequently, email content and contextual metadata may be transferred beyond Gmail's protected environment to remote servers without clear user awareness.

Large-Scale Extension Abuse and Data Brokerage

The misuse of browser extensions is not limited to isolated campaigns. Researchers have also identified 287 Chrome extensions that have been collectively installed 37.4 million times, approximately 1% of the global Chrome user base, and that exfiltrate browsing histories to data brokers.

Previous investigations have demonstrated how harvested browsing data is aggregated and monetized by companies such as Similarweb and Alexa. These findings underscore the scale at which extension-based surveillance can operate.

Strengthening Defense Against Malicious Extensions

Given the escalating threat landscape, organizations and individual users should adopt disciplined extension management practices. Effective defensive measures include:

• Installing only essential, well-reviewed extensions from official marketplaces
• Conducting periodic audits of installed extensions to detect excessive permissions or anomalous behavior
• Using separate browser profiles for sensitive activities
• Implementing extension allowlisting within enterprise environments to block unauthorized or non-compliant add-ons

Browser extensions operate with significant privileges inside trusted sessions. Without rigorous oversight, they can become powerful conduits for data exfiltration and credential compromise.