Malicious Chrome Extension Exfiltrates Meta Business Data and TOTP 2FA Seeds
Researchers reported a malicious Google Chrome extension, CL Suite (publisher @CLMasters, extension ID jkphinfhmfkckkcnifhjiplhfoiefffl), that targets users of Meta Business Suite and Facebook Business Manager by masquerading as a tool to scrape business data, remove verification pop-ups, and generate 2FA codes. Although its listing and privacy policy claim sensitive data remains local, analysis found the extension requests broad access to meta.com and facebook.com and covertly collects TOTP seeds, current 2FA codes, Business Manager “People” exports (CSV), contact lists, and analytics data.
The stolen data is exfiltrated to attacker-controlled infrastructure at getauth[.]pro, with an option to forward the same payloads to an attacker-controlled Telegram channel. By capturing TOTP seeds and one-time codes, the extension can effectively neutralize 2FA, enabling account takeover when paired with passwords obtained elsewhere (e.g., infostealer logs or credential dumps). The exposure can persist even after uninstall because the attacker retains the exported business intelligence and 2FA seeds; Socket stated it notified Google and flagged the extension for removal, while reporting indicated the extension had a limited user base at the time of analysis.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Socket reports extension still live in Chrome Web Store and notifies Google
At the time of Socket's publication, the malicious extension was still available in the Chrome Web Store. Socket said it had notified Google and flagged the extension for removal.
Researchers identify malicious 'CL Suite by @CLMasters' Chrome extension
Security researchers found that the Chrome extension 'CL Suite by @CLMasters,' marketed as a Meta Business Suite/Facebook Business Manager tool, covertly steals sensitive Meta business data. The extension was observed exfiltrating TOTP seeds, current 2FA codes, Business Manager exports, analytics, and victim fingerprinting data to attacker-controlled infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Chrome Extensions Used for Social Media Account Hijacking
Security researchers reported multiple **malicious Google Chrome extensions** being used to hijack social media accounts by abusing the trust and permissions granted to browser add-ons. One campaign targeted Meta Business users with an extension named **“CL Suite by @CLMasters”** (`jkphinfhmfkckkcnifhjiplhfoiefffl`) that requested broad access to `meta.com` and `facebook.com` and exfiltrated Facebook Business Manager authentication material and analytics. Analysis indicated the extension captured the **TOTP seed** and current 6-digit 2FA code when users used its built-in “2FA generator,” then sent associated identifiers (e.g., username/email) to attacker infrastructure at **`getauth[.]pro`**, with optional forwarding to Telegram—enabling ongoing generation of valid 2FA codes and increasing the likelihood of high-value ad account takeover. A separate operation hijacked more than **500,000 VKontakte accounts** via five Chrome extensions disguised as VK customization tools (e.g., themes). The extensions manipulated accounts without consent (auto-subscribing victims to attacker-controlled groups, resetting settings periodically, and leveraging VK weaknesses to perform unauthorized actions) and could silently update to receive new malicious code. Researchers attributed the VK-focused activity to a single actor (GitHub alias **“2vk”**), and at least one extension (**VK Styles**) was removed from the Chrome Web Store after being flagged, underscoring the ongoing risk of extension-based compromise even when distributed through official marketplaces.
Mar 21, 2026
Malicious Chrome Extensions Used for Credential Theft and Website Spoofing
Security researchers reported a surge in **malicious Chrome extensions** abusing high-privilege browser permissions to steal credentials and hijack authenticated sessions. LayerX identified at least **16 ChatGPT-related extensions** that mimic legitimate productivity tools and brands, then inject scripts into `chatgpt.com` to monitor outbound web requests and **exfiltrate authorization details and session tokens** to attacker-controlled infrastructure. With stolen tokens, attackers can impersonate victims’ ChatGPT sessions and potentially access connected data sources (e.g., integrations with *Slack* and *GitHub*), expanding impact beyond the AI service itself. Separately, Varonis documented a **malware-as-a-service** browser-extension toolkit dubbed **Stanley** being sold on Russian-language cybercrime forums, marketed to enable large-scale credential theft by **showing a phishing site while the URL bar continues to display the legitimate domain**. The toolkit uses a web-based control panel to configure per-victim “source” (legitimate) and “target” (phishing) URLs, then overlays a full-screen iframe to spoof the destination site; the seller also claims “guaranteed” placement in the **Chrome Web Store**, increasing the likelihood of user installation and enterprise exposure.
Mar 21, 2026
Malicious Chrome Extensions Used for Data Theft via Ownership Transfers and Impersonation
Multiple **malicious Chrome/Chromium extensions** were identified abusing the Chrome Web Store to steal data from users and enterprises. Two previously legitimate extensions—**QuickLens** (`kdenlnncndfnhkognokgfpabgkgehodd`) and **ShotBird** (`gengfhhkjekmlejbhmmopegofnoifnjp`)—reportedly turned malicious after **ownership transfers**, enabling downstream compromise through injected code and data harvesting. In the QuickLens case, researchers reported the malicious update preserved expected functionality while adding capabilities to **strip security headers** (e.g., `X-Frame-Options`) and facilitate script injection that can bypass **Content Security Policy (CSP)** protections, expanding the attacker’s ability to make cross-domain requests and collect sensitive information. Separately, Microsoft reported a campaign of **counterfeit “AI assistant” browser extensions** distributed via the Chrome Web Store (and therefore also impacting Microsoft Edge environments that allow Chrome extensions), which allegedly affected **20,000+ enterprise tenants** and amassed roughly **900,000 installs**. These extensions impersonated legitimate AI productivity tools and harvested **ChatGPT/DeepSeek conversation histories**, visited URLs, and browsing telemetry, staging data for exfiltration to attacker-controlled infrastructure. Another Chrome Web Store threat involved a fake **imToken**-branded extension (“lmΤoken Chromophore”) that masqueraded as a benign tool but redirected victims to phishing infrastructure to steal **seed phrases and private keys**, using tactics like hardcoded remote configuration (via JSONKeeper) and decoy navigation to the legitimate `token.im` site after credential capture.
Mar 21, 2026