Browser extensions continue to be a high-leverage attack surface, with a new case targeting Meta’s business tooling.

## What was found

- A Chrome extension advertised as a Meta Business Suite helper (CL Suite) was reported to exfiltrate:

- TOTP seeds and current 2FA codes

- Business Manager “People” exports (names, emails, roles)

- Business Manager analytics and related metadata

- Researchers said the data was sent to attacker-controlled infrastructure, with optional forwarding to a Telegram channel.

## Why it matters

Even without passwords, stolen 2FA material and organizational access metadata can enable account takeover, targeted phishing, and fraud—especially for ad accounts and brand pages.

## Bigger pattern: extension-borne abuse

The report also references other extension campaigns that:

- Hijack social accounts (e.g., VKontakte) by manipulating settings and injecting scripts.

- Masquerade as “AI assistant” tools that render remote iframes and pull data from active tabs or even Gmail content.

## What to do

- Audit installed extensions; remove anything you don’t need.

- Watch for overly broad permissions and extensions that embed remote content.

- In organizations, consider extension allowlisting and separate browser profiles for sensitive business workflows.