By rssfeeds-admin 
In reality, it steals sensitive two-factor authentication (2FA) seeds, one-time codes, and business analytics data, sending everything to cybercriminals’ servers.
Under the ID jkphinfhmfkckkcnifhjiplhfoiefffl, this malicious tool targets Facebook and Instagram managers handling valuable ad accounts and employee data.
Socket’s analysis reveals that the extension asks for wide access to meta.com and facebook.com domains. Its privacy policy on clmasters[.]Pro claims data stays local, but code analysis by SocketDev exposes the truth.
When users hit the 2FA generator, it grabs Time-based One-Time Password (TOTP) seeds and the secret keys that create login codes. These seeds, plus current codes, zip straight to getauth[.]pro.
Attackers with the seed can now make unlimited valid codes, completely bypassing 2FA.
CL Suite by @CLMasters extension (Source: SocketDev)That’s not all. The “People Extractor” feature digs into Business Manager, pulling employee lists, emails, and access levels. A hidden script scans ad accounts and payment setups, too.
All this gets bundled into JSON files and fired to the attackers’ API endpoint at https://getauth[.]pro/api/telemetry.php.
![Privacy policy page for Meta Business Suite Tools on clmasters[.]pro (Source: SocketDev)](https://cyberpress.org/wp-content/uploads/2026/02/image-68.png "Malicious Google Chrome Extension Steals Facebook Business Manager 2Fa Codes And Analytics Data 2")
clmasters[.]pro (Source: SocketDev)Code even flags “sendTelegram: true,” piping stolen goods to a private Telegram channel for instant alerts. This setup speeds up account takeovers, ad fraud, or ransomware prep.
| Indicator Type | Value | Description |
|---|---|---|
| Extension Name | CL Suite by @CLMasters | Malicious extension name |
| Extension ID | jkphinfhmfkckkcnifhjiplhfoiefffl | Unique Chrome Web Store ID |
| C2 Domain | getauth[.]pro | Primary data exfiltration endpoint |
| API Endpoint | https://getauth[.]pro/api/telemetry.php | URL receiving stolen data |
| Hardcoded Key | w7ZxKp3F8RtJmN5qL2yAcD9v | Bearer token used for authorization |
| Developer Email | info@clmasters[.]pro | Associated developer contact |
Even uninstalling won’t fix the damage; attackers keep the TOTP seeds forever. Victims must revoke sessions, rotate 2FA by removing and re-adding authenticators, and change passwords.
Security teams should hunt for these indicators of compromise (IOCs):
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Malicious Google Chrome Extension Steals Facebook Business Manager 2FA Codes and Analytics Data appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.