The Hacker News highlights multiple cases where **malicious Chrome extensions** masquerade as useful tools but secretly steal sensitive data.

## The core case: “CL Suite” targeting Meta Business

According to the report (citing Socket research), an extension marketed for Meta Business Suite/Facebook Business Manager tasks can:

- Export **Business Manager contact lists** and analytics data

- Exfiltrate **TOTP seeds and current 2FA codes** to attacker-controlled infrastructure

The danger is not only data theft. If an attacker already has a victim’s password (e.g., from an infostealer log or credential dump), stolen 2FA material can enable **rapid account takeover**.

## Broader trend: extension-based account hijacking

The article also notes:

- A large campaign (“VK Styles”) where extensions posing as customization tools hijacked VKontakte accounts, forced subscriptions, and maintained persistence.

- Another cluster (“AiFrame”) where “AI assistant” extensions embedded remote, server-controlled interfaces to extract content from tabs and, in some cases, **read Gmail content** and send it off-device.

## Why it matters

Browser extensions sit inside the user’s most privileged workflow: logged-in web sessions. When they request broad permissions, they can become **quiet, durable exfiltration points**.

## Practical guidance

- Keep extensions to a minimum; remove anything you don’t actively use.

- Review requested permissions carefully (especially access to *all sites*, mail.google.com, or business dashboards).

- For teams: use browser management policies, separate profiles for admin/business work, and continuous extension audits.

Source: The Hacker News (see link below).