Security · 6h ago
ModHeader Extension Pulled After Hidden Data Collector Found
Google and Microsoft removed ModHeader, a header-editing extension with 1.6 million installs, after researchers discovered a dormant browsing-history collector in its code. The collector was inactive due to an empty allow-list, and no evidence suggests it ever transmitted data. The incident highlights risks in browser extension supply chains.
Meridian48 take
The dormant collector raises questions about extension vetting, but the lack of active exploitation suggests this may be more about developer negligence than malice.
Read the full reporting
Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found →
The Hacker News
browser-extensionsupply-chain-risk