CYBERSECURITY researchers have uncovered a wave of malicious Chrome extensions designed to siphon data from users, including Meta Business Suite and Facebook Business Manager details.
One extension, CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), markets itself as a data scraper but exfiltrates TOTP seeds and 2FA codes, Business Manager “People” data, and analytics to a backend controlled by the threat actor, with current activity noted by Socket as having 33 users at the time of writing and first uploaded on 1 March 2025.
The researchers highlighted that the payload transmits sensitive information to getauth[.]pro, with an option to forward data to a Telegram channel controlled by the operator, and that the extension requests broad access to meta[.]com and facebook[.]com, despite claims that 2FA secrets stay local. In a broader finding, a separate report from Q Continuum identified 287 Chrome extensions exfiltrating browsing history to data brokers, affecting some 37.4 million installations.
Additionally, a coordinated AiFrame campaign involves 32 AI‑themed extensions used to collect sensitive data and even read Gmail content, with more than 260,000 users installed across the set.