Researchers studying cybersecurity have found a malicious Google Chrome extension that is intended to steal information related to Facebook Business Manager and Meta Business Suite This article explores extensions account chrome. . The extension, called CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), is promoted as a means of generating two-factor authentication (2FA) codes, deleting verification pop-ups, and scraping Meta Business Suite data.

As of this writing, there are 33 users of the extension. On March 1, 2025, it was initially posted to the Chrome Web Store. But according to Socket, the browser add-on also exfiltrates Business Manager contact lists, analytics data, and TOTP codes for Facebook and Meta Business accounts to infrastructure under the threat actor's control.

Below is a list of the extensions' names: VK Styles Themes for vk.com (ID: ceibjdigmfbbgcpkkdpmjokkokklodmc) Audio saver for VK Music (ID: mflibpdjoodmoppignjhciadahapkoch) Music Saver vK (ID: bndkfmmbidllaiccmpnbdonijmicaafn) and Music Downloader - VKsaver (ID: lgakkahjfibfgmacigibnhcgepajgfdb) Download music and videos from VK with VKfeed (ID: pcdgkgbadeggbnodegejccjffnoakcoh). Using a VK profile's HTML metadata tags ("vk[. ]com/m0nda") as a dead drop resolver to hide the next-stage payload URLs and avoid detection is one of the campaign's distinguishing features.

The public repository "-" linked to 2vk hosts the next-stage payload. Obfuscated JavaScript, which is injected into each VK page the victim visits, is part of the payload.

The file, simply called "C," received a total of 17 commits between June 2025 and January 2026 as the operator improved and added new functionality. As of this writing, the repository is still available. According to security researcher Ariel Cohen, "each commit shows deliberate refinement."

According to LayerX, "the extracted email content is passed into the extension's logic and transmitted to third-party backend infrastructure controlled by the extension operator when Gmail-related features like AI-assisted replies or summaries are invoked."

"As a result, email message text and associated contextual data may be sent to distant servers off-device, beyond Gmail's security boundary." ## 287 Extensions for Chrome Obtain Browsing History The findings demonstrate how malicious actors are increasingly abusing web browser extensions to harvest and steal private information by disguising them as ostensibly trustworthy tools and utilities. A massive collection of 287 Chrome extensions that give data brokers access to browsing history was discovered in a report released by Q Continuum last week.

With 37.4 million installations, these extensions account for about 1% of all Chrome users worldwide.

"Chrome extensions have been demonstrated to exfiltrate user browser history, which is subsequently gathered by data brokers like Similarweb and Alexa," the researcher stated.