A malicious Google Chrome extension known as CL Suite (by @CLMasters) was caught stealing the confidential information of users of both the Meta Business Suite and the Facebook Business Manager. The extension ID for this particular malicious extension is jkphinfhmfkckkcnifhjiplhfoiefffl. Despite being marketed as a helpful tool for scraping business data, removing annoying verification pop-ups, and even generating 2FA codes right in the browser, the extension is doing far more behind the scenes.
Socket Security researcher Kirill Boychenko spotted that it requests unusually broad permissions for meta.com and facebook.com domains. While the extension's privacy policy claims that 2FA secrets and Business Manager data stay local on your device, the reality is quite different: it quietly sends the following to attacker-controlled servers at getauth[.]pro (with an optional forward to a Telegram channel):
1. The secret keys used to generate time-based off user names and associated codes by two-factor (2FA) authentication at the present moment, including both the seed and current active 2FA code.
2. The complete CSV download of the People section within the Business Manager application, including relevant data (full contact details : name and email address and the employee's role through employee permission level and employee status) to how many employees are in each area of the Business Manager application.
3. Detailed analytics and asset listings from Business Manager (IDs, linked ad accounts, pages, billing/payment configs)
Even though the extension only has 33 users as of mid-February 2026 (first uploaded March 1, 2025), the harvested data is extremely valuable. Attackers could use the stolen 2FA material, combined with passwords obtained elsewhere (e.g., from infostealer logs) to take over high-value business accounts, drain ad budgets, steal customer data, or launch BEC-style fraud.
Why This Matters
Browser extensions remain one of the weakest links in the supply chain. Users install them for convenience, grant broad permissions, and rarely audit what they actually do. CL Suite is a narrow, purpose-built scraper disguised as productivity help, exactly the kind of low-install, high-impact malicious add-on that can fly under the radar.
Related Campaigns Highlight the Growing Problem
1. VK Styles (VKontakte hijacking) Koi Security uncovered ~500,000 VKontakte accounts compromised via fake customization extensions (e.g., VK Styles - Themes, VK Music - audio saver). Every VK page is compromised with obfuscated JavaScript that forces users into the attackers' groups as far as the actors have their way each month. Additionally, the actors will force the users to change their settings each month. The actor (2vk on GitHub) is using VK profile metadata as a dead-drop for the next-stage payloads that are hosted in a public repository called "-." In the repository, the file "C" had 17 commits between June 2025 and January 2026, showing that there was an active development and refinement of the payloads.
2. AiFrame LayerX identified 32 Chrome add-ons masquerading as AI Summary, Chatbot, Gmail, Translator, and Cover‐Letter Generators with more than 260,000 installations of these add-ons currently active. (e.g., AI Assistant, Llama, Gemini AI Sidebar, ChatGPT Sidebar). Instead of local processing, they load full-screen iframes from claude.tapnetic[.]pro, giving attackers remote control over browser capabilities. They extract readable page content (via Mozilla Readability), transcribe speech, and specifically harvest Gmail content when visiting mail.google.com. All data flows to attacker infrastructure.
3. 287 extensions exfiltrating browsing history Q Continuum reported 287 Chrome extensions (37.4 million installs total) quietly sending full browsing history to data brokers like Similarweb/Alexa successors. Around 1% of Chrome users worldwide are affected by this behavior/image; it has become so commonplace now.
Users should do the following:
1. Conduct a thorough audit of their extensions; go to chrome://extensions and check the permissions of all of your installed extensions and remove any that you don't use or trust anymore.
2. Limit your use of extensions; only install from reputable developers with lots of reviews and high numbers of recent updates.
3. Create separate profiles for work/business browsing and do not use the same profile for viewing/work with Meta / Facebook.
4. Enable enhanced protection in Chrome; turn on "Enhanced Safe Browsing" and you may also want to consider using enterprise security policies to block sideloaded and high-risk extensions.
5. Be on the lookout for any unanticipated 2FA (two-factor authentication) prompts and logins from unknown users, and also be alert to any unexpected changes to your Business Manager account.
6. If you find a suspicious extension, report it through the Chrome Web Store (by clicking the three-dot icon and choosing to report).
Browser extensions are powerful, convenient, and unfortunately still one of the easiest ways for attackers to get persistent, high-privilege access to your authenticated sessions. The fewer you run, the smaller your attack surface.
Source: The Hacker News
February 13, 2026
February 13, 2026
February 13, 2026
February 23, 2025
January 05, 2026
December 26, 2025
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
