Recent findings by cybersecurity experts have unveiled a dangerous Google Chrome extension that targets business data, posing significant risks to companies utilizing Meta Business Suite and Facebook Business Manager. This extension, known as CL Suite by @CLMasters, is deceptively marketed as a tool to aid in data management and two-factor authentication (2FA) generation. Despite its seemingly useful features, the extension is designed to extract sensitive information without user consent, raising alarms in the cybersecurity community.
Unveiling the Threat
The CL Suite extension, which first appeared on the Chrome Web Store in March 2025, has been identified as a tool for unauthorized data collection. Although it claims to enhance user experience by removing verification pop-ups and managing 2FA codes, it secretly exfiltrates time-based one-time password (TOTP) codes and business analytics to a server controlled by the threat actor. The extension’s privacy policy misleadingly suggests that data remains local, but in reality, it transmits sensitive information to external servers.
Security researcher Kirill Boychenko has highlighted the extension’s ability to collect and forward data, including Meta Business ‘People’ CSV exports and analytics, to a backend server at getauth[.]pro. The extension even has the capability to send this data to a Telegram channel operated by the attackers. This stealthy data scraping is a significant concern for businesses relying on Meta’s platforms for operations.
Broader Implications and Similar Threats
This threat is not isolated. A similar campaign, dubbed VK Styles, has been discovered, targeting VKontakte users. This large-scale attack involves Chrome extensions that manipulate VK accounts, demonstrating the versatility and reach of such malicious tools. The attackers use these extensions to force user subscriptions to VK groups, alter account settings, and bypass security measures, all while maintaining persistent control over the targeted accounts.
More concerning is the revelation of another campaign involving AI-themed browser extensions. These extensions, masquerading as AI assistants for various tasks, have been installed by over 260,000 users. They exploit their perceived utility to siphon sensitive data, including browsing history and Gmail content, by embedding remote-controlled interfaces that bypass Chrome’s security protocols.
Security Recommendations and Future Outlook
With the increasing sophistication of browser extensions as tools for cyber threats, it is crucial for users and organizations to exercise caution. Experts advise minimizing extension installations, regularly auditing installed extensions, and ensuring they come from reputable sources. Implementing separate browser profiles for sensitive tasks and employing allowlisting strategies can also mitigate risks.
The growing trend of malicious browser extensions highlights the need for heightened awareness and improved security measures. As attackers continue to exploit these tools for data exfiltration, both users and developers must remain vigilant to protect sensitive information from unauthorized access.
