""The extension requests broad access to meta.com and facebook.com and claims in its privacy policy that 2FA secrets and Business Manager data remain local," security researcher Kirill Boychenko said. "In practice, the code transmits TOTP seeds and current one-time security codes, Meta Business 'People' CSV exports, and Business Manager analytics data to a backend at getauth[.]pro, with an option to forward the same payloads to a Telegram channel controlled by the threat actor.""
"The extension, named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), is marketed as a way to scrape Meta Business Suite data, remove verification pop-ups, and generate two-factor authentication (2FA) codes. The extension has 33 users as of writing. It was first uploaded to the Chrome Web Store on March 1, 2025. However, the browser add-on also exfiltrates TOTP codes for Facebook and Meta Business accounts, Business Manager contact lists, and analytics data to infrastructure controlled by the threat actor, Socket said."
A Chrome extension named CL Suite (ID: jkphinfhmfkckkcnifhjiplhfoiefffl) was uploaded to the Chrome Web Store on March 1, 2025 and has 33 users. It is marketed to scrape Meta Business Suite data, remove verification pop-ups, and generate two-factor authentication (2FA) codes. The extension requests broad access to meta.com and facebook.com yet transmits TOTP seeds and current one-time codes, exported Meta Business 'People' CSVs, and Business Manager analytics to a backend at getauth[.]pro, with an option to forward same payloads to a Telegram channel controlled by the attacker. The add-on does not steal passwords directly but can enable account takeover when combined with pre-compromised credentials.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]