February 13, 2026 Cybersecurity researchers have uncovered a malicious Google Chrome extension designed to steal sensitive data from Meta Business Suite and Facebook Business Manager users. The extension, disguised as a productivity tool, quietly siphons authentication codes, contact lists and analytics data without users’ knowledge.
The add-on, called CL Suite, was first uploaded to the Chrome Web Store in March 2025 and markets itself as a utility for scraping business data and simplifying two-factor authentication workflows. But analysis shows it transmits one-time password seeds, active login codes and account metadata to attacker-controlled infrastructure, enabling potential account takeovers.
Security researchers say the extension requests extensive permissions across Meta-owned domains and falsely claims that sensitive data remains local. Instead, the code sends harvested information — including business contact exports and ad account details — to remote servers, with the option to forward the data to private messaging channels controlled by the operator.
Although the extension has relatively few installs, experts warn the data it collects could help attackers identify high-value targets for follow-up intrusions. Even without direct password theft, stolen authentication tokens combined with leaked credentials from other sources could allow unauthorized access to business accounts.
The findings come amid a broader surge in browser-based threats, with multiple campaigns exploiting extensions as covert surveillance tools. In one case, researchers linked a set of Chrome add-ons targeting users of the Russian social platform VKontakte to account hijacking at scale. Those extensions manipulated account settings, forced subscriptions to attacker-controlled groups and used hidden infrastructure to maintain persistent control.
Separately, another campaign involving dozens of extensions posing as AI assistants has affected hundreds of thousands of users. These add-ons embed remote-controlled interfaces that can extract browsing content, capture speech transcripts and siphon sensitive email data, including messages viewed in Gmail.
Researchers say the growing abuse of browser extensions reflects their privileged access to user activity. Unlike traditional malware, extensions operate within trusted ecosystems and often request broad permissions that enable deep data harvesting once installed.
Recent reports suggest the scale of the issue may be far larger. Hundreds of extensions with tens of millions of installs have been found collecting browsing histories for resale to data brokers.
Security experts recommend limiting installed extensions to essential tools from reputable developers, regularly auditing permissions and using separate browser profiles for sensitive workflows. For businesses managing social media or advertising accounts, tightening extension policies and enforcing allowlists may help reduce exposure.
