Blog · By Kai, founder of VibeHeader · July 12, 2026

ModHeader Was Flagged as Malware. I'm Not Surprised. Here's Why I Built VibeHeader.

This morning Chrome told me ModHeader had been flagged as malware. I'd been expecting a moment like this for a year. Here's the honest story.

I opened Chrome this morning and the browser was already talking to me: ModHeader had been flagged as malware and disabled. My first reaction wasn't shock. It was a quiet "yeah, that tracks."

Chrome Extensions Safety Check flagging 'ModHeader - Modify HTTP headers' as 'This extension contains malware' and recommending removal
The actual warning Chrome showed me this morning: ModHeader, disabled, “This extension contains malware.”

I'm Kai. I build VibeHeader, a small, focused extension for editing and sharing HTTP headers. I built it about a year ago, largely because of the exact concerns that seem to be behind today's news. So this post is two things: a plain summary of what actually happened, attributed to the people who reported it, plus my honest, first-person account of why I stopped trusting ModHeader long before Google did.

What actually happened

Here is what has been reported by Google, Microsoft, and independent security researchers. None of this is my own finding:

Full links are in the Sources section at the bottom. If you still have ModHeader installed, the widely recommended step is to remove it.

Why I'm not surprised: the three things that pushed me to build my own

Where I work, teams are constantly testing and doing QA across a lot of different staging and test environments. Everyone used ModHeader to carry the header configs for those environments around. It did the job, until three things wore me down.

1. Sharing was painful. People passed environment configs around however was fastest: plain text in Slack and emails, or a quick screenshot when that felt easier. Either way, to actually use one I'd open ModHeader and hand-type each value into the form, one field at a time. It was tedious and easy to get wrong. One trailing space, a lowercase "l" that was really an uppercase "I," and you'd lose twenty minutes chasing a request that failed for no visible reason.

2. Unwanted promo popups. Every so often, a new browser tab or window would open on its own with a promotional page for some other product. For a while I couldn't pin down the cause. But I run several Chrome profiles, and I noticed the popups only ever appeared on the profiles where ModHeader was installed. After I removed it from one of those profiles, the popups stopped there completely. That's what led me to conclude ModHeader was responsible. I want to be clear that this is my own observation from isolating it across profiles, not a lab result. But it was consistent enough that I trusted it.

3. Over-broad permissions. The extension asked for a wide set of permissions, and I had no real way to tell what it might be doing in the background. When something can read and modify your web traffic and also occasionally opens promo tabs, "just trust it" stops feeling like an acceptable answer.

What I actually wanted

None of my frustration was really about headers. What I wanted was a dead-simple way to share environment info so a teammate could apply it in one click, the way you'd drop something in Notion or a Google Doc and everyone's just on the same page. The lightest possible way to sync an env config, with zero privacy worry.

That became the whole design goal of VibeHeader. You build a header set, you get a link, and your teammate opens it and applies it. The config is encoded in the URL fragment (the part after #c=) and processed entirely in the browser, so nothing is sent to a server. The preview even masks common sensitive keys like tokens and cookies so you don't accidentally leak a secret into a chat. No ads. No tracking. MV3-native and light.

An honest admission

I'll be straight with you, because a trust piece that oversells itself isn't worth much. VibeHeader started as a weekend hobby project. I built it about a year ago to scratch my own itch. The people around me started using it, liked how lightweight and convenient it was, and passed it along to others on their own. That word of mouth is really all it's had: it's quietly grown to 1,000+ developers and counting, and I never spent real time promoting it.

So I'm not going to pretend VibeHeader is a big, battle-tested product with a polished team behind it. It's a focused tool, a weekend project that solved a real problem well enough that people kept sharing it.

What today reminded me

Seeing that malware warning this morning didn't feel like vindication so much as a reminder of something basic: building a product ultimately means respecting the people who use it: their experience, and their trust.

It's worth being honest about how an extension ends up flagged. It's usually not one villainous decision. It's a combination: closed-source code nobody outside can audit, permissions broader than the job requires, and steady monetization pressure on a free tool with millions of users. Put those together over enough time and "just a few affiliate tabs" can quietly drift into "a hidden SDK phoning home with the domains you visit." The users never agreed to that trade; they just couldn't see it happening.

The lesson I take from it is to keep the surface area small and the incentives clean: don't collect what you don't need, don't ask for permissions you don't use, and don't build a business model that only works if you quietly sell out your users.

If you're leaving ModHeader

Practical steps, in order:

  1. Remove the extension. If Chrome hasn't already disabled it, remove it from chrome://extensions (and from Edge). Consider rotating any secrets you routinely pasted into it.
  2. When picking a replacement, look for: a small, focused feature set; MV3-native; no ads and no analytics; permissions you can actually reason about; and a sharing model that doesn't route your configs through someone else's server.
  3. What VibeHeader does differently: link-based one-click sharing via the URL fragment (#c=, processed client-side, nothing sent to servers), lightweight and MV3-native, no ads, no tracking, and sensitive-value masking in the preview.

One more thing, and I want to phrase it carefully so I'm not overselling: I'm currently in the process of open-sourcing VibeHeader. It isn't public yet. The point is that you shouldn't have to take my word for any of the claims above. Before long you'll be able to read and audit the code yourself. That, to me, is the honest answer to "why should I trust the next extension?"

No pressure. If VibeHeader isn't the right fit, the comparison page lists other maintained options too.

FAQ

Is ModHeader safe now?

According to Google and Microsoft, no. In early July 2026 Google flagged ModHeader as malware and disabled it, and Microsoft removed it from the Edge Add-ons store. Security researchers reported that build 7.0.18 shipped a hidden SDK that collected the domains users visited and sent them to a third-party collector with no notice and no opt-out. If you still have it installed, the recommended step is to remove it and switch to a maintained, privacy-first alternative.

What is a safe ModHeader alternative?

Look for a header editor that is lightweight, MV3-native, shows no ads, does no tracking, and requests only the permissions it needs. VibeHeader is built this way: no ads, no analytics, and link-based sharing that encodes the config in the URL fragment (#c=) so nothing is sent to a server. Requestly and Header Editor are other actively maintained options if you need heavier rule engines.

Why did ModHeader get flagged as malware?

Security researchers reported that ModHeader build 7.0.18 bundled a hidden spyware SDK that quietly collected the domains users visited and sent them, encrypted, to a third-party collector (stanfordstudies.com) with no notice and no opt-out. This was distinct from any disclosed ads, and earlier reviews had already reported adware and affiliate-tab behavior. On that basis Google flagged the extension as malware and Microsoft pulled it from the Edge store.

Sources

Figures and claims about ModHeader in this post are attributed to Google, Microsoft, and the researchers linked above. The observation about promotional popups is my own, based on isolating the behavior across Chrome profiles.