Security researchers have identified a deceptive Google Chrome extension called CL Suite that targets Meta Business Suite and Facebook Business Manager accounts. Although it claims to offer legitimate data scraping and security features, the tool secretly exfiltrates two-factor authentication codes and sensitive business contact lists to a remote server.

A recently discovered Chrome extension named CL Suite, identified by the ID jkphinfhmfkckkcnifhjiplhfoiefffl, poses as a productivity tool for users of Meta and Facebook business platforms. Marketed as a utility to manage analytics and bypass verification pop-ups, the extension actually functions as a data scraper. It was uploaded to the official Chrome Web Store in early 2025 and has already been observed transmitting sensitive information from a small number of installations to infrastructure controlled by a threat actor.

The primary danger of this extension lies in its ability to steal Time-based One-Time Password seeds and current security codes. While the extension's privacy policy falsely claims that this data remains stored locally on the user's device, researchers found that the code actively sends these secrets to an external backend and an associated Telegram channel. This allows the attacker to bypass multi-factor authentication requirements even if they do not yet have the user's primary password, which they might later acquire through separate credential leaks.

In addition to compromising security codes, CL Suite systematically gathers organizational data from the Meta Business environment. It is programmed to automatically navigate through various account views to compile CSV files containing the names, email addresses, and specific permissions of all people associated with a business account. It also enumerates high-level business entities, identifying linked advertising accounts, connected pages, and billing configuration details that could be used for financial fraud.

The researchers at Socket who analyzed the extension pointed out that the software suppresses verification pop-ups to hide its activity from the user. By masquerading as a neutral scraping tool, it convinces business administrators to grant it broad permissions over their Meta and Facebook domains. Once these permissions are granted, the extension acts as a specialized data harvester that collects contact lists and access metadata directly from authenticated browser pages without the victim’s consent.

Even though the current installation count for the extension is low, security experts warn that it represents a significant threat to high-value targets. The level of detail gathered by the tool allows a threat actor to map out a company's internal structure and identify the most privileged accounts for follow-on attacks. This discovery highlights the ongoing risk of niche browser extensions that repackage malicious data collection as legitimate business tools.

Source: Malicious Chrome Extensions Steal Business Data, Emails, And Browsing History