Browser extensions are becoming a serious attack vector. Researchers recently exposed a malicious Chrome extension called CL Suite by @CLMasters that targets Meta Business Suite and Facebook Business Manager users. While it appears to be a productivity tool, it secretly exfiltrates sensitive business data to attacker infrastructure.
The extension steals high-value information including TOTP seeds, live 2FA codes, Business Manager contacts, and analytics data. Although it doesn’t directly capture passwords, attackers can combine the stolen data with credential leaks to take over business accounts.
Similar threats have appeared in multiple campaigns. Below is a list of known malicious Chrome extensions:
VK Styles campaign
- VK Styles – Themes for vk.com (ceibjdigmfbbgcpkkdpmjokkokklodmc)
- VK Music – audio saver (mflibpdjoodmoppignjhciadahapkoch)
- Music Downloader – VKsaver (lgakkahjfibfgmacigibnhcgepajgfdb)
- vksaver – music saver vk (bndkfmmbidllaiccmpnbdonijmicaafn)
- VKfeed – Download Music and Video from VK (pcdgkgbadeggbnodegejccjffnoakcoh)
AiFrame fake AI extensions
- AI Assistant (nlhpidbjmmffhoogcennoiopekbiglbp)
- Llama (gcfianbpjcfkafpiadmheejkokcmdkjl)
- Gemini AI Sidebar (fppbiomdkfbhgjjdmojlogeceejinadg)
- AI Sidebar (djhjckkfgancelbmgcamjimgphaphjdl)
- ChatGPT Sidebar (llojfncgbabajmdglnkbhmiebiinohek)
- Grok (cgmmcoandmabammnhfnjcakdeejbfimn)
- Asking Chat Gpt (phiphcloddhmndjbdedgfbglhpkjcffh)
- ChatGBT (pgfibniplgcnccdnkhblpmmlfodijppg)
- Chat Bot GPT (nkgbfengofophpmonladgaldioelckbe)
- Chat GPT for Gmail (fpmkabpaklbhbhegegapfkenkmpipick)
The takeaway is clear: even small browser extensions can become major data-leak entry points. Install only what you truly need, audit extensions regularly, review permissions carefully, and implement allowlisting in enterprise environments.
source: https://thehackernews.com/2026/02/malicious-chrome-extensions-caught.html