Blog · Security notice · Updated July 13, 2026

How to Remove the ModHeader Malware and Clean Up What It Left Behind

In early July 2026 Google flagged ModHeader v7.0.18 as malware and Microsoft pulled it from the Edge store, after researchers reported it shipped a hidden data-collection SDK. This is a plain, no-drama cleanup checklist: confirm if you're affected, remove it, wipe the leftovers on Mac and Windows, and lock down what it could have touched.

This guide is written to be useful whether or not you end up using VibeHeader. Everything about ModHeader below is attributed to Google, Microsoft, and the independent researchers linked in Sources — none of it is our own analysis. If Chrome or Edge has already disabled the extension for you, that's a good sign the cleanup below applies to you.

Short on time? The essential moves, in order (details below):

  1. Remove the extension from Chrome and Edge.
  2. Delete its leftover storage folders on Mac or Windows.
  3. Block api.stanfordstudies.com at your DNS or hosts file.
  4. Rotate any secrets you pasted into it.

What was reported (the 60-second version)

If you still have ModHeader installed, the widely recommended step is to remove it. Here's how to do that cleanly.

Step 1 — Confirm whether you're affected

Open chrome://extensions (and edge://extensions if you use Edge) and turn on Developer mode so version numbers show.

If Chrome's Safety Check already shows "This extension contains malware", you're in the right place — don't just click away the warning; finish the cleanup below. Here's the actual warning to look for:

Chrome Extensions Safety Check flagging 'ModHeader - Modify HTTP headers' as 'This extension contains malware' and recommending removal
Chrome's Safety Check flagging ModHeader as malware and recommending removal.

Step 2 — Remove the extension (Chrome and Edge)

  1. Go to chrome://extensions → find ModHeader → click Remove → confirm. Repeat at edge://extensions.
  2. If the browser already disabled it, leave it disabled and still click Remove — disabling stops it running but does not delete its cached data.
  3. Do this in every browser profile where you had it installed (each Chrome profile is separate).

Step 3 — Delete the leftover local storage

Uninstalling usually clears most of this, but the extension's cached data — which researchers reported could grow to well over 100 MB of stored request/response headers, potentially including tokens and cookies — can linger. To be thorough, delete any of these folders that still exist. Replace Default with your actual profile folder (also check Profile 1, Profile 2, …).

macOS

Under ~/Library/Application Support/Google/Chrome/ (and the Edge equivalent under Microsoft Edge):

Windows

Under %LOCALAPPDATA%\Google\Chrome\User Data\ (Edge: %LOCALAPPDATA%\Microsoft\Edge\User Data\):

Fully quit the browser before deleting these folders, or the files may be locked.

Step 4 — Block the exfiltration domain

Block and log the collector so nothing can reach it, even from a stray cached copy:

Step 5 — Rotate anything sensitive you fed it

Because the extension could read and store the headers flowing through your browser, treat anything you routinely pasted into it as potentially exposed and rotate it:

This is precautionary given the reported dormant state — but rotating a token is cheap insurance compared to assuming it's fine.

Indicators of compromise (for security / IT teams)

Hunt across managed endpoints for the following. The strongly corroborated indicators are the extension ID, version, exfil endpoint, and disguised filename; items marked (as reported) come from the original reverse-engineering write-up and are included for completeness.

TypeIndicator
Extension IDidgpnmonknjnojddfkpgkljpfnnfcklj
Version7.0.18
Network (exfil)outbound POST to api.stanfordstudies.com/app/log
Domainapi.stanfordstudies.com, stanfordstudies.com
Disguised filedayjs.min-*.js (data-collection SDK)
Related file (as reported)background-94ad634d.js
Hardcoded AES key (as reported)aWfU3yG_wksZaQdSnxPJBOId0cAN8KK/UIlZbli7-bE
Fingerprint salt (as reported)mod盐header

Reported behavior: domain-only collection (not full URLs, not cookie values, not passwords), AES-GCM encryption, one batched upload per day on a per-device randomized schedule, and no remote-code-execution / no external script loading.

FAQ

Was my browsing data actually stolen?

Per the researchers who reversed build 7.0.18, the collector shipped dormant behind an empty allowlist, so in their test environment nothing was sent out. But the endpoint, key and scheduler were all present, so a later update could have activated it. Treat it as a real exposure risk rather than a confirmed leak: remove it, clear its data, and rotate secrets you pasted into it.

Chrome already disabled it — am I done?

Not quite. Disabling stops it from running but doesn't delete its locally cached data (reported to reach well over 100 MB of stored headers, tokens and cookies). Remove it fully and delete the leftover storage folders in Step 3.

Which version was affected?

Researchers attributed the hidden SDK to build 7.0.18 (ID idgpnmonknjnojddfkpgkljpfnnfcklj). Google flagged and disabled it and Microsoft pulled it from Edge in early July 2026.

What should I use instead?

Pick a header editor that is lightweight, MV3-native, ad-free, does no analytics, and asks only for the permissions it needs. VibeHeader is built that way (and is being open-sourced so it can be audited); Requestly and Header Editor are other maintained options for heavier rule engines.

If you need a header editor to replace it

You'll still need to modify headers for testing — so the practical question is what to trust next. The checklist that matters: a small, focused feature set; Manifest V3 native; no ads and no analytics; permissions you can actually reason about; and a sharing model that doesn't route your configs through someone else's server.

VibeHeader was built to that spec: no ads, no tracking, and link-based sharing that encodes the config in the URL fragment (#c=) so it's processed in your browser and nothing is sent to a server. It's also being open-sourced, so you won't have to take our word for it. For the fuller story and other maintained options, see the founder's take and the ModHeader alternatives comparison.

The VibeHeader extension UI: a clean list of HTTP header rules with a share-link button, no ads
VibeHeader: a focused header editor with one-click link sharing, no ads and no analytics.

No pressure — the goal of this page is to help you clean up safely, whatever you switch to.

Sources

All claims about ModHeader on this page are attributed to Google, Microsoft, and the researchers linked above. Indicators marked "(as reported)" originate from the HackIndex write-up and were not independently re-verified by us.