Introduction
In a swift response to a significant supply-chain threat, Google and Microsoft have removed the popular "ModHeader" browser extension from their respective Web Stores. With over 1.6 million installs, this tool—widely used by developers and QA engineers to modify HTTP request headers—was found to contain a "dormant collector." This unauthorized code module was capable of exfiltrating sensitive browsing data, including session cookies and authentication tokens, to a remote command-and-control (C2) infrastructure.
For security practitioners, this event serves as a stark reminder of the risks inherent in the browser extension ecosystem. A trusted utility can silently transform into a data pipeline, exposing enterprise credentials and session data to malicious actors. This post provides a technical breakdown of the threat and actionable detection and remediation guidance.
Technical Analysis
Affected Products and Platforms:
- Google Chrome (Extensions)
- Microsoft Edge (Add-ons)
- Affected Component: ModHeader extension (versions recent to July 2026)
The Threat Mechanism: The "dormant collector" discovered in ModHeader operates as a malicious script within the extension's background process. Unlike aggressive malware that immediately impacts system performance, this collector is designed for stealth.
- Permissions Abuse: The extension legitimately requests broad permissions (such as
<all_urls>orcookies) to function as a debugging tool. The malicious module leverages these existing permissions to intercept data without triggering new permission prompts. - Data Interception: The collector sits passively, monitoring web traffic and extracting specific data elements—potentially including
Authorizationheaders, session IDs, or form data. - Exfiltration: Data is aggregated and transmitted to an external controller. The "dormant" nature suggests the code may have been capable of receiving remote activation commands to begin collection or alter its behavior, making it a persistent foothold rather than a one-off script.
Exploitation Status:
- In-the-Wild: Confirmed. The malicious code was present in the live build available on official stores.
- Active Exploitation: While the code was dormant, its presence implies the infrastructure was operational. The sheer install base (1.6M+) makes the potential blast radius severe.
Detection & Response
Detecting compromised browser extensions via traditional network telemetry is difficult because the traffic originates from a legitimate browser process (chrome.exe, msedge.exe) and often uses standard HTTPS ports. Defense requires a combination of behavioral network analysis and endpoint-level filesystem enumeration.
SIGMA Rules
The following Sigma rules target two behaviors: the potential for an extension to escape the browser sandbox (a common escalation), and network beaconing indicative of a data collector.
---
title: Potential Browser Extension Exfiltration via Non-Standard Ports
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects browser processes establishing connections to non-standard ports, potentially indicating C2 beaconing or data exfiltration by a compromised extension.
references:
- https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
DestinationPort|not:
- 80
- 443
- 8080
filter_legit_traffic:
DestinationIp|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter_legit_traffic
falsepositives:
- Internal web applications running on non-standard ports
- Development environments
level: medium
---
title: Browser Process Spawning Shell - Extension Escape
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects Chrome or Edge spawning a shell process, which can occur if a malicious extension exploits a browser vulnerability or uses a native messaging host for persistence.
references:
- https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\chrome.exe'
- '\msedge.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection_parent and selection_child
falsepositives:
- User-initiated debugging or developer tools usage
level: high
KQL (Microsoft Sentinel / Defender)
This hunt query identifies browser processes making high-frequency connections to a single external endpoint, a behavior consistent with a "collector" phoning home.
let BrowserProcesses = dynamic(["chrome.exe", "msedge.exe"]);
DeviceNetworkEvents
| where InitiatingProcessFileName in~ BrowserProcesses
| where ActionType == "ConnectionAllowed"
| where RemoteUrl !contains "microsoft.com" and RemoteUrl !contains "google.com" and RemoteUrl !contains "google-analytics.com"
| summarize Count = count(), StartTime = min(Timestamp), EndTime = max(Timestamp) by DeviceId, InitiatingProcessAccountId, RemoteUrl, RemotePort
| where Count > 50 // Threshold for potential beaconing/collector activity within the query time window
| project DeviceId, Account = InitiatingProcessAccountId, RemoteUrl, RemotePort, Count, StartTime, EndTime
| order by Count desc
Velociraptor VQL
The most accurate method to confirm the presence of the ModHeader threat is to scan the extension files on the disk. This VQL artifact hunts for the ModHeader extension ID or manifest name within the browser's extension directories.
-- Hunt for ModHeader Extension Manifests
SELECT FullPath, Size, Mtime
FROM glob(globs="/**/Extensions/*/manifest.")
WHERE
-- Read content and check for ModHeader
read_file(filename=FullPath) =~ "ModHeader"
-- Alternative: Check for specific known extension IDs if available
OR FullPath =~ "idgpnmonknjnojddfkpgkljpfnnfcklj" /* Example ID, update if specific 2026 ID is known */
Remediation Script (PowerShell)
Use this script to audit and forcibly remove the ModHeader extension from all user profiles on a Windows endpoint. This ensures the "dormant collector" is completely eradicated even if the browser UI is inaccessible or policies prevent uninstalls.
# ModHeader Extension Removal Script
# Run as Administrator
$ErrorActionPreference = "SilentlyContinue"
# Define browser paths
$ChromeBasePath = "$env:LOCALAPPDATA\Google\Chrome\User Data"
$EdgeBasePath = "$env:SYSTEMDRIVE\Users"
Write-Host "[*] Starting scan for ModHeader extension..."
# Function to remove extension directories containing ModHeader manifest
function Remove-Extension {
param (
[string]$BasePath
)
if (-not (Test-Path $BasePath)) { return }
# Search for manifest. files recursively
Get-ChildItem -Path $BasePath -Recurse -Filter "manifest." -ErrorAction SilentlyContinue | ForEach-Object {
$content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
if ($content -like "*ModHeader*") {
$extPath = Split-Path $_.FullName -Parent
Write-Host "[!] Found ModHeader extension at: $extPath" -ForegroundColor Yellow
# Attempt to remove the directory
try {
Remove-Item -Path $extPath -Recurse -Force
Write-Host "[+] Successfully removed: $extPath" -ForegroundColor Green
}
catch {
Write-Host "[-] Failed to remove $extPath (File in use or permissions)." -ForegroundColor Red
}
}
}
}
# Scan Chrome User Profiles
$UserProfiles = Get-ChildItem "$env:SYSTEMDRIVE\Users" -Directory
foreach ($Profile in $UserProfiles) {
$ChromePath = Join-Path $Profile.FullName "AppData\Local\Google\Chrome\User Data"
if (Test-Path $ChromePath) {
Write-Host "[*] Scanning Chrome profile for $($Profile.Name)..."
Remove-Extension -BasePath $ChromePath
}
}
# Scan Edge User Profiles
foreach ($Profile in $UserProfiles) {
$EdgePath = Join-Path $Profile.FullName "AppData\Local\Microsoft\Edge\User Data"
if (Test-Path $EdgePath) {
Write-Host "[*] Scanning Edge profile for $($Profile.Name)..."
Remove-Extension -BasePath $EdgePath
}
}
Write-Host "[*] Remediation scan complete. Please advise users to restart browsers."
Remediation
- Immediate Removal: Instruct all users to remove the ModHeader extension immediately via the browser extensions menu (
chrome://extensionsoredge://extensions). Do not simply "disable" it; remove it entirely. - Forced Removal via Script: Deploy the PowerShell script above via SCCM, Intune, or RMM tools to ensure compliance across all endpoints, including those where users may ignore manual instructions.
- Session Invalidation: Because the collector may have intercepted session cookies or tokens, treat the breach as a credential theft event. Force a logout of all web sessions for critical applications (SaaS, email, internal portals) and require password resets if MFA was not enforced or if session hijacking is suspected.
- Policy Enforcement: Update Allow/Block lists for browser extensions. Add ModHeader (and its specific Extension IDs) to the blocklist in your Google Admin Console or Microsoft 365 Admin Center to prevent reinstallation.
- Network Hunting: Review firewall and proxy logs for any outbound connections from internal IP ranges to domains associated with the extension's update infrastructure or unknown endpoints established after the extension installation.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.