Security researchers have flagged a Chrome browser extension that poses as a tool for Meta Business Suite / Facebook Business Manager users, but instead steals sensitive data that can be used for account compromise.

## What was found

The extension (reported as **“CL Suite by @CLMasters”**) claims to help with scraping Meta Business Suite information and handling verification prompts. Investigators say it also:

- Exfiltrates **TOTP seeds** and current **2FA codes**

- Extracts Business Manager “People” views into CSVs (names, emails, roles, permissions)

- Enumerates Business Manager assets (IDs, ad accounts, connected pages, billing/payment configuration)

- Sends data to attacker-controlled infrastructure and can forward payloads to a Telegram channel

## Why this matters

Even if an extension doesn’t directly steal passwords, **capturing TOTP seeds and one-time codes** can defeat 2FA protections when paired with previously obtained credentials (e.g., via infostealer logs or credential dumps). For organizations, Business Manager exports also map out the exact people and assets an attacker would prioritize.

## Defensive steps (practical)

- Audit installed extensions and remove those you don’t absolutely need.

- Treat **broad permissions** (“read and change data on…”) as a red flag, especially on business platforms.

- Use separate browser profiles for sensitive admin consoles.

- Enforce device posture and extension controls where possible (enterprise policies).

The same report also notes broader extension-abuse campaigns, reinforcing that extensions are a growing, high-leverage attack surface.