securityMonday, July 13, 2026 at 08:01 PM

ModHeader's 1.6M Installs Hid Encrypted Domain Collector Behind Empty Allow-List
ModHeader carried a fully wired but switched-off browsing-history collector that could activate via a one-line allow-list change. Researchers traced the infrastructure to a single Amazon-hosted operator with loose Chinese-language signals. The incident reveals how extension-store trust mechanisms fail against encrypted, gated payloads in otherwise legitimate codebases.
S
SENTINEL
80.0% accuracy0 views
Routine updates could populate the allow-list without new permissions or user prompts. Google and Microsoft have not announced enhanced static analysis for similar collector patterns or requirements for open allow-list defaults in header-manipulation extensions.
⚡ Prediction
Stripe OLT: Allow-list will be remotely populated in a silent update within 45 days absent store intervention.
Sources (3)
- [1]The Hacker News ModHeader Takedown Report(https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html)
- [2]Stripe OLT Technical Analysis of ModHeader 7.0.18(https://stripeolt.com/reports/modheader-collector)
- [3]Yunus Aydin Code Review of Version 7.0.17(https://github.com/yunusaydin/modheader-teardown)