Malicious Chrome Extension Steals Meta Business Manager Exports and TOTP 2FA Seeds

Socket's Threat Research Team uncovered a malicious Google Chrome extension, CL Suite by @CLMasters, that disguises itself as a tool to manage Meta Business Suite data while secretly exfiltrating sensitive information such as TOTP seeds, 2FA codes, and Business Manager contact lists to a backend controlled by the threat actor. Despite its claims of keeping 2FA secrets and Business Manager data local, the extension transmits these data to a remote server and a Telegram channel, thereby undermining 2FA protection and simplifying account takeovers. This extension, which has a small user base, poses significant security risks by compromising business data and authentication processes, enabling ad fraud and long-term asset hijacking. The extension remains available on the Chrome Web Store, and the developers have been notified for its removal. The underlying code contradicts the privacy policy, highlighting the potential for more browser-based tools that offer scraping services while covertly sending data to operators. Organizations must enforce strict control over browser extensions, particularly those accessing high-value business assets, to prevent similar threats.