• 2 min read
ModHeader pulled after spyware hit 1.6M installs
Google and Microsoft removed ModHeader after researchers found a hidden spyware SDK in v7.0.18. Existing Chrome and Edge installs may still be at risk.

Image: TechRadar
A widely used browser extension with 1.6 million installs has been removed from both the Chrome Web Store and Microsoft Edge Add-ons after researchers said it included spyware code.
According to Stripe OLT, ModHeader v7.0.18 carried a hidden spyware SDK that could collect the domains users visit, encrypt that data with AES-GCP, and send it once a day to a Chinese-owned server. The researchers said the collector was inactive by default, but the code, encryption key, and upload schedule were already built into the extension.
ModHeader is a Chrome and Edge extension used to modify HTTP request and response headers. It is commonly used by developers and security researchers to test APIs, troubleshoot apps, and simulate different environments. The extension had about 900,000 users on Chrome and 700,000 on Edge before it was pulled.
Stripe OLT said the extension also behaved like adware, showing ads and opening advertising tabs during updates, including on enterprise-managed devices. Researchers found no command-and-control capability, meaning the remote server could receive stolen data but could not send commands back.

Recommended reading
Install Windows updates within 3 days, Microsoft says
Removal dates and attribution
The Hacker News reported that Microsoft removed ModHeader on June 3, 2026, and Google followed on July 10. Stripe OLT linked the activity, with low confidence, to a Chinese-speaking threat actor. The report cited Chinese strings in the code, a Simplified Chinese locale, and email routing through Lark, a suite the researchers said is common among Chinese-speaking teams.
“Following our disclosure, Google has removed the extension from the Chrome Web Store. We welcome this action, but removal from the store does not automatically remediate endpoints where the extension was already installed, so defenders should continue to identify and remove existing installations.”
That warning matters: pulling an extension from a store does not automatically remove it from devices where it is already installed.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via TechRadar


