Google and Microsoft Remove ModHeader Extension Over Hidden Tracking Code

Abeerah Hashim  - Security Expert
Last updated: July 15, 2026
Share
Google and Microsoft Remove ModHeader Extension Over Hidden Tracking Code
  • Google and Microsoft removed the popular ModHeader extension after researchers found a hidden, dormant history collector in the code.
  • The secret tracking system was built to record website visits, encrypt them, and send them daily to a deceptive web domain.
  • Security experts advise all users to uninstall the tool immediately and change any secret passwords or API tokens used during its operation.

The two leading technology companies have acted quickly to ensure the safety of internet users by removing a popular web tool from their respective stores. This utility has assisted over one million web developers in the past by simplifying their daily web requests.

However, some security experts have uncovered the hidden surveillance program in the utility code. Its mere existence created a serious privacy risk for users even without operation.

As a result, both developers of top online platforms, Google and Microsoft, withdrew the application to avert any monitoring activity. This event demonstrates the fact that even trusted and well-known programs can contain a great danger.

Understanding the massive reach of the compromised web tool and the code inside it

The banned software helper operated under the commercial brand name ModHeader. For years, web builders used this extension to tweak the hidden data labels that browsers send to websites. As a result, the tool gained a massive loyal following in the programming community.

According to tracking records, there are around 1.6 million active installations of the application on various platforms. While more than 900,000 of the installations are on Google Chrome alone, about 700,000 users opted for it on the Microsoft Edge browser. 

To protect these users, Microsoft removed the Edge version on July 3. Similarly, Google pulled the Chrome listing on July 10. A specialized computer safety group named Stripe OLT discovered the hidden threat after checking the official store files.

Furthermore, their analysis proved that the malicious code existed inside the genuine, verified version of the software. Browser security has been a recurring concern. Microsoft has warned of a high-severity Edge flaw allowing remote code execution. Thus, the dangerous update did not come from a fake copy. 

Once active on a machine, the program silently builds a unique digital fingerprint of the computer. Next, it monitors every single web page the user opens. 

The tool then encrypts these website names and saves them locally on the hard drive. Fortunately, the built-in tracking pipeline remained inactive because its internal target list was completely empty. 

Nonetheless, a tiny software update could have activated the system instantly without any user approval. The official Google Chrome Web Store previously hosted the program as a highly trusted, verified utility. This verification shows that standard store badges cannot always guarantee continuous safety. 

How the secret tracker bypassed automatic security scanners and concealed its real purpose

The creators of the tracking code employed some ingenious methods to keep it hidden from automated security scanners. One method was to heavily obfuscate the background scripts so the system would almost appear as a normal and sophisticated piece of software.

In addition, since the code had the primary tracking line switched off. So, the virtual testing environment could not track anything regarding the code. Also, automated protection systems classified the program as extremely safe, and some security checkers even assigned the system a safety score of 95 out of 100.

Usually, the software sends its daily reports to a web domain named stanfordstudies[.]com. Although the address sounds official, it has absolutely no connection to Stanford University. Instead, it functioned as a repurposed cover page linked to a generic server. 

The researchers tracked these destination servers and found several weak signals pointing to a Chinese-speaking operator. However, they have not officially named any specific hacking group. 

To secure your organization, the Cybersecurity and Infrastructure Security Agency issues alerts on how entities can protect themselves from compromised browser extensions. These alerts are evidence of a growing trend, wherein hackers exploit backend development tools to circumvent traditional corporate network defenses.

Furthermore, the software has received criticism in the past for inserting unwanted advertisements into search results three years ago, this was the period it switched into an ad-based product.

Still, the official webpage stated that the product does not gather any private data about its users. This false advertising directly contradicts the discovery of the hidden history-gathering code.

Immediate protective actions to secure personal devices and digital accounts

If you currently have this extension installed, you must delete it from your browser immediately; this will delete the tracking files stored on your hard drive.

Also, it is essential to check browser preferences and make sure that automatic syncing does not reinstall this extension. Since the extension could store full network traffic, you must also change any passwords typed while using it.

Specifically, this includes secret key codes, web session tokens, and security cookies. For network administrators, blocking the suspicious domains at the central router is a good recommendation.

You should also search your network logs for any connections to the malicious web addresses. The safety experts at Stripe OLT have shared specialized search scripts to help companies hunt for this threat.

A healthy level of caution regarding browser add-ons remains your best shield against modern digital theft. This case proves that even popular tools require regular manual safety checks. Above all odds, high vigilance is vital for internet safety.

Share this article

About the Author

Abeerah Hashim

Abeerah Hashim

Security Expert

Abeerah is a passionate technology blogger and cybersecurity enthusiast. She yearns to know everything about the latest technology developments. Specifically, she’s crazy about the three C’s; computing, cybersecurity, and communication. When she is not writing, she’s reading about the tech world.

More from Abeerah Hashim

Comments

No comments.