Researchers warn of malicious Chrome extensions stealing Meta Business data and 2FA secrets

Security researchers identified a Chrome extension marketed as a Meta Business “tool” that allegedly exfiltrates Business Manager exports and time-based one-time password (TOTP) seeds. Separate research also points to broader extension campaigns hijacking social accounts and siphoning data at scale.

Multiple security firms are warning that **Chrome extensions** are being used as high-trust malware delivery and data-exfiltration channels—often disguised as productivity tools.

## CL Suite: a Meta Business “tool” that allegedly steals 2FA material

Socket researchers reported on a Chrome extension called **CL Suite by @CLMasters** (extension ID: `jkphinfhmfkckkcnifhjiplhfoiefffl`) that is advertised as:

- scraping Meta Business Suite data

- removing verification pop-ups

- generating 2FA codes

However, Socket says the extension:

- exfiltrates **TOTP seeds** and current one-time codes

- exports **Business Manager “People”** data (names, emails, roles/permissions)

- gathers Business Manager analytics and asset information

- sends data to infrastructure controlled by the operator (including a Telegram-forwarding option)

Even with a relatively small install base, this kind of access can help attackers identify and pursue **high-value business targets**, where 2FA bypass + account takeover can have real financial impact.

## A broader pattern: hijacking social accounts and “AI assistant” extension abuse

The same report highlights:

- A separate campaign (“**VK Styles**”) using extensions masquerading as social-network customization tools to manipulate accounts and maintain persistence.

- Another cluster (“**AiFrame**”) where extensions presented as AI assistants render a remote, server-controlled iframe to gain privileged browser access and extract content—sometimes including **Gmail** data.

## Why it matters

Browser extensions sit in the middle of identity, messaging, analytics, and payment workflows. When malicious, they can become **silent backdoors**—collecting data and credentials while looking like normal add-ons.

## What to do now

- Audit extensions across org devices; remove anything unnecessary or requesting overly broad permissions.

- Use separate browser profiles for sensitive business/admin access.

- Monitor for abnormal access patterns in Meta Business and other admin consoles; enforce strong account security and least privilege.

Source: The Hacker News (with reporting citing Socket, Koi Security, and LayerX research).