Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1876+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Google and Microsoft Pull ModHeader After Hidden Tracker Found in 1.6M-Install Extension
Google and Microsoft Pull ModHeader After Hidden Tracker Found in 1.6M-Install Extension
NEWS

Google and Microsoft Pull ModHeader After Hidden Tracker Found in 1.6M-Install Extension

Google and Microsoft have removed ModHeader — a popular HTTP header editor with 1.6 million installs across Chrome and Edge — after researchers discovered a dormant browsing-history collector hidden inside the extension's official store version.

Dylan H.

News Desk

July 13, 2026
4 min read

What Happened

Google and Microsoft have simultaneously pulled ModHeader from the Chrome Web Store and Microsoft Edge Add-ons marketplace after security researchers discovered a hidden browsing-history collector embedded in the extension's official distributed version.

ModHeader is a widely used developer tool that allows users to add, modify, and remove HTTP request and response headers — a legitimate utility commonly used by web developers, QA engineers, and security professionals for testing. With approximately 1.6 million combined installs across Chrome and Edge, it had a substantial trusted install base.

The collector was dormant at the time of discovery. An empty allow-list configuration kept the data collection functionality switched off — but the mechanism to gather and transmit browsing history was present and functional, waiting to be activated.

The Hidden Collector

Researchers examining the extension's code found components designed to:

  • Record browsing history — track URLs visited by the user
  • Transmit data externally — infrastructure for sending collected history to external endpoints
  • Activate remotely — an allow-list mechanism that could be populated via an update or remote configuration, enabling collection without requiring a new store submission

The dormant state is particularly concerning from a security perspective. A dormant collector represents a ticking time bomb: the extension is installed and trusted, the collection code is in place, and activation requires only a configuration change — no new binary review, no store re-submission, no user action.

Why This Matters

The Dormant Threat Model

Most browser extension security reviews focus on what an extension currently does. A dormant collector defeats this model: it passes review in an inactive state, builds a large trusted install base, then activates collection once enough users are present or when the operator decides to monetize.

This is a well-documented pattern in the browser extension ecosystem, sometimes called sleeper monetization. Extensions are built with legitimate functionality, accumulate installs, and then either:

  • Introduce data collection gradually through updates
  • Include dormant collection code activated remotely
  • Are acquired by data brokers who then flip the collection switch

Scale of Exposure

1.6 million users across Chrome and Edge is not a small audience. Even if the collector was never activated, the potential exposure — had it been switched on — represents a significant privacy and enterprise security risk. For organizations where employees use ModHeader for development work, their internal tooling, authenticated session URLs, and internal application paths could have been harvested.

Supply Chain Implications

This incident is the latest in a growing series of browser extension supply chain compromises and abuses. Unlike traditional software supply chain attacks, browser extensions:

  • Update silently and automatically in most configurations
  • Run with broad permissions (access to all URLs, network requests, etc.)
  • Are rarely subject to ongoing security review after initial installation
  • Can change ownership without users being notified

Response

Both Google and Microsoft acted to remove the extension from their respective stores following the researcher disclosure. Users who have ModHeader installed should:

  1. Remove the extension immediately — navigate to chrome://extensions or edge://extensions and uninstall ModHeader
  2. Audit browser extension permissions — review all installed extensions for broad permissions that could enable data collection
  3. Consider alternatives — several open-source HTTP header modification tools are available with auditable codebases

Enterprise Considerations

For security teams managing browser extensions across enterprise fleets:

  • Implement extension allowlisting — only permit pre-approved extensions via group policy or browser management platforms
  • Monitor extension updates — changes in permissions after install should trigger review
  • Review extension inventory regularly — remove extensions that are no longer needed or have not been actively reviewed
  • Prefer extensions with public source code — open-source extensions with active development communities are easier to audit

Broader Context

This incident follows a pattern of high-profile extension removals in recent years. The browser extension ecosystem remains a significant blind spot for many organizations' security programs. Unlike endpoint software subject to rigorous change control, browser extensions often install and update with minimal oversight.

Regulators and platform providers are increasingly scrutinizing this space — Google's Manifest V3 transition aimed in part to reduce extension capabilities, and both Google and Microsoft have expanded their extension review processes — but the ModHeader case demonstrates that hidden or dormant functionality can still slip through.

References

  • The Hacker News Coverage
  • Chrome Web Store Extension Policies
#Browser Extension#Supply Chain#Google Chrome#Microsoft Edge#Privacy#The Hacker News#Malware

Related Articles

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

JFrog researchers attribute a fresh npm supply chain campaign to North Korea's Lazarus Group. Malicious packages impersonating Rollup polyfill tooling...

4 min read

TrapDoor Supply Chain Attack Spreads Credential-Stealing

A coordinated cross-ecosystem supply chain attack campaign dubbed TrapDoor has compromised 34 packages across 384+ versions on npm, PyPI, and Crates.io.

5 min read

Laravel-Lang PHP Packages Compromised to Deliver

Multiple PHP packages belonging to the Laravel-Lang organization have been poisoned in a software supply chain attack, delivering a cross-platform...

4 min read
Back to all News