Malicious Google Chrome Extension Steals Facebook Business Manager 2FA Codes and Analytics Data
In reality, it steals sensitive two-factor authentication (2FA) seeds, one-time codes, and business analytics data, sending everything to cybercriminals’ servers.
Under the ID jkphinfhmfkckkcnifhjiplhfoiefffl, this malicious tool targets Facebook and Instagram managers handling valuable ad accounts and employee data.
Socket’s analysis reveals that the extension asks for wide access to meta.com and facebook.com domains. Its privacy policy on clmasters[.]Pro claims data stays local, but code analysis by SocketDev exposes the truth.
When users hit the 2FA generator, it grabs Time-based One-Time Password (TOTP) seeds and the secret keys that create login codes. These seeds, plus current codes, zip straight to getauth[.]pro.
Attackers with the seed can now make unlimited valid codes, completely bypassing 2FA.
CL Suite by @CLMasters extension (Source: SocketDev)That’s not all. The “People Extractor” feature digs into Business Manager, pulling employee lists, emails, and access levels. A hidden script scans ad accounts and payment setups, too.
All this gets bundled into JSON files and fired to the attackers’ API endpoint at https://getauth[.]pro/api/telemetry.php.
clmasters[.]pro (Source: SocketDev)Code even flags “sendTelegram: true,” piping stolen goods to a private Telegram channel for instant alerts. This setup speeds up account takeovers, ad fraud, or ransomware prep.
| Indicator Type | Value | Description |
|---|---|---|
| Extension Name | CL Suite by @CLMasters | Malicious extension name |
| Extension ID | jkphinfhmfkckkcnifhjiplhfoiefffl | Unique Chrome Web Store ID |
| C2 Domain | getauth[.]pro | Primary data exfiltration endpoint |
| API Endpoint | https://getauth[.]pro/api/telemetry.php | URL receiving stolen data |
| Hardcoded Key | w7ZxKp3F8RtJmN5qL2yAcD9v | Bearer token used for authorization |
| Developer Email | info@clmasters[.]pro | Associated developer contact |
Even uninstalling won’t fix the damage; attackers keep the TOTP seeds forever. Victims must revoke sessions, rotate 2FA by removing and re-adding authenticators, and change passwords.
Security teams should hunt for these indicators of compromise (IOCs):
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Malicious Google Chrome Extension Steals Facebook Business Manager 2FA Codes and Analytics Data appeared first on Cyber Security News.
Under most circumstances, there’s nothing particularly shocking about cutting into an eye removed from a…
A proof-of-concept (PoC) exploit has been published for a now-patched critical zero-day vulnerability in ASUSTOR…
Jenkins released a comprehensive security advisory on April 29, 2026, patching seven vulnerabilities across multiple…
A sophisticated phishing campaign is actively targeting organizations across the United States by disguising malicious…
Threat actors have been actively exploiting two critical authentication bypass vulnerabilities in Qinglong, a widely used…
A critical authentication bypass vulnerability in cPanel & WHM, tracked as CVE-2026-41940, is being actively exploited…
This website uses cookies.