Google and Microsoft removed ModHeader from their official extension stores after researchers discovered dormant data-collection code embedded in the tool. The extension, which edits HTTP headers and accumulated 1.6 million installs across Chrome and Edge, contained a browsing-history collector that remained inactive due to an empty allow-list configuration.

No evidence indicates the collector ever transmitted data or captured browsing activity. The dormancy prevented any operational threat, but the undisclosed code violated store policies requiring transparency about data handling. Both platforms flagged the violation and delisted the extension.

ModHeader functioned legitimately for users developing and testing web applications. The extension allowed developers to modify HTTP request and response headers without touching server configurations. Its removal leaves those users without immediate alternatives for header manipulation within browser extensions.

The discovery raises questions about how the code entered ModHeader's codebase. The extension's repository and maintenance history require scrutiny to determine whether the collector represented abandoned functionality, unauthorized injection, or a planned feature that never activated. Security researchers examining the extension will likely publish detailed findings about its origin and scope.

This incident highlights recurring problems with browser extensions: limited store review processes, difficulty auditing third-party code, and user reliance on closed-source tools with elevated browser permissions. Extensions can access browsing history, cookies, and credentials by design, making transparency non-negotiable. Hidden collection mechanisms, even dormant ones, breach user trust and violate distribution policies.

Users who installed ModHeader should update their extension list immediately. The removal prevents further updates, but existing installations retain the dormant code. Manual uninstallation eliminates the risk entirely. Those requiring header-editing functionality can explore alternative extensions, though vetting becomes essential following this incident.

The removal demonstrates platform enforcement of data-handling policies. Both Google and Microsoft responded decisively despite the inactive state of the collector, signaling that undisclosed data-access code triggers immediate