A troubling cyber threat has emerged targeting administrators of Meta Business Suite and Facebook Business Manager through a malicious Google Chrome extension that harvests two-factor authentication secrets, authentication codes and internal analytics, putting high-value business accounts at risk of takeover. The extension, marketed under the name CL Suite by @CLMasters and available on the Chrome Web Store with broad permissions across meta. com and facebook. com, misleads users by claiming to streamline business workflows, remove verification pop-ups and even generate 2FA codes. Once installed, however, it systematically siphons sensitive data to infrastructure controlled by threat actors, undermining fundamental security protections.
Detailed technical analysis shows that CL Suite collects time-based one-time password seeds and the corresponding six-digit 2FA codes for Meta Business and Facebook accounts, then transmits them, along with usernames and email identifiers, to a remote backend at getauth[.]pro. This exfiltration pipeline includes options for forwarding payloads to a Telegram channel under the adversary’s control, effectively neutralising 2FA protections once passwords or recovery mechanisms are compromised elsewhere.
Security researchers monitoring the attack surface stress that the theft of 2FA seeds and codes represents a significant escalation in account takeover tactics. While capturing a current 2FA code alone might grant short-lived access, possession of the underlying seed allows adversaries to generate legitimate codes indefinitely, bypassing multifactor protections that many organisations rely on to secure high-privilege administrative sessions. The extension also extracts Business Manager contact lists, roles, permissions and analytics data, offering attackers a comprehensive map of internal structures and high-value assets, including linked ad accounts and potentially billing details.
The risk posed by CL Suite is amplified by its broad access requests and the fact that it remains publicly listed in the official Chrome Web Store at the time of reporting, albeit flagged by researchers. The published extension has a small user base but any installation on systems used to administer corporate pages, ad accounts or payment configurations can instantly expose those assets to malicious actors. Unlike typical phishing or brute-force credential attacks, this threat leverages legitimate API privileges and browser extension APIs to operate stealthily in the background once granted permissions.
Threat intelligence signals indicate that this is part of a wider pattern of malicious or compromised Chrome extensions that pose a danger to business and individual users alike. Parallel investigations have uncovered clusters of extensions abusing browser APIs to siphon browsing history, email content and other personal data, often masquerading as AI tools or productivity helpers. These broader campaigns have resulted in hundreds of thousands of installations before removal, illustrating the scale of risk within the extension ecosystem.
Security specialists point to a host of factors driving this trend, including the difficulty of accurately vetting extensions at scale and the exploitation of broad host permissions to reach high-value platforms such as social networks and business management consoles. Academic research into malicious browser extensions highlights the inherent challenge of distinguishing between benign and harmful behaviour, even with machine learning-based detection systems in place, and underscores the need for enhanced review mechanisms and runtime monitoring by platform maintainers.
For organisations and administrators, the incident serves as a stark reminder of the expanding attack vectors against business digital infrastructure. Traditional security measures like strong passwords and 2FA must now be complemented by tighter controls on browser add-ons and extension install policies, especially on systems that access critical business tools. IT and security teams are advised to implement extension allow-listing, conduct regular audits of installed extensions and monitor network traffic for signs of unexpected communication with unknown domains.
Detailed technical analysis shows that CL Suite collects time-based one-time password seeds and the corresponding six-digit 2FA codes for Meta Business and Facebook accounts, then transmits them, along with usernames and email identifiers, to a remote backend at getauth[.]pro. This exfiltration pipeline includes options for forwarding payloads to a Telegram channel under the adversary’s control, effectively neutralising 2FA protections once passwords or recovery mechanisms are compromised elsewhere.
Security researchers monitoring the attack surface stress that the theft of 2FA seeds and codes represents a significant escalation in account takeover tactics. While capturing a current 2FA code alone might grant short-lived access, possession of the underlying seed allows adversaries to generate legitimate codes indefinitely, bypassing multifactor protections that many organisations rely on to secure high-privilege administrative sessions. The extension also extracts Business Manager contact lists, roles, permissions and analytics data, offering attackers a comprehensive map of internal structures and high-value assets, including linked ad accounts and potentially billing details.
The risk posed by CL Suite is amplified by its broad access requests and the fact that it remains publicly listed in the official Chrome Web Store at the time of reporting, albeit flagged by researchers. The published extension has a small user base but any installation on systems used to administer corporate pages, ad accounts or payment configurations can instantly expose those assets to malicious actors. Unlike typical phishing or brute-force credential attacks, this threat leverages legitimate API privileges and browser extension APIs to operate stealthily in the background once granted permissions.
Threat intelligence signals indicate that this is part of a wider pattern of malicious or compromised Chrome extensions that pose a danger to business and individual users alike. Parallel investigations have uncovered clusters of extensions abusing browser APIs to siphon browsing history, email content and other personal data, often masquerading as AI tools or productivity helpers. These broader campaigns have resulted in hundreds of thousands of installations before removal, illustrating the scale of risk within the extension ecosystem.
Security specialists point to a host of factors driving this trend, including the difficulty of accurately vetting extensions at scale and the exploitation of broad host permissions to reach high-value platforms such as social networks and business management consoles. Academic research into malicious browser extensions highlights the inherent challenge of distinguishing between benign and harmful behaviour, even with machine learning-based detection systems in place, and underscores the need for enhanced review mechanisms and runtime monitoring by platform maintainers.
For organisations and administrators, the incident serves as a stark reminder of the expanding attack vectors against business digital infrastructure. Traditional security measures like strong passwords and 2FA must now be complemented by tighter controls on browser add-ons and extension install policies, especially on systems that access critical business tools. IT and security teams are advised to implement extension allow-listing, conduct regular audits of installed extensions and monitor network traffic for signs of unexpected communication with unknown domains.
Topics
Technology