If Chrome or Edge disabled ModHeader or marked it as malware, leave it disabled and remove it. The warning concerns the main Chromium extension IDs, and an independent analysis of Chrome build 7.0.18 found code capable of collecting visited domains and preparing a daily encrypted upload. The important limit is that the collector was dormant in the examined build, and the researcher found no evidence that it uploaded data from the tested profile. Removal is still the safe choice because the extension had broad access and stored sensitive request and response headers locally.
| What you see | What to do |
|---|---|
| Chrome or Edge disabled ModHeader | Do not force-enable or sideload it. Record the ID and version, then remove it. |
| You used version 7.0.18 | Remove the extension and its ID-specific profile storage after closing the browser. |
| You used work, admin, banking, or developer sessions | Review active sessions and rotate credentials from a clean browser when the risk justifies it. |
| The extension came with an installer or keeps returning | Check sync, browser policy, installed apps, tasks, and the Windows system for a separate restoring component. |
Is ModHeader malware?
The safest current verdict is conditional: the named ModHeader Chromium listings should not be trusted or restored after a malware warning, but the public evidence does not prove that every copy actively stole data.
On July 10, 2026, the Chrome listing for ID idgpnmonknjnojddfkpgkljpfnnfcklj no longer served its normal install page and opened an empty item state. The corresponding Edge listing also stopped showing the extension details. Google explains that Chrome disables extensions that are no longer published or that it determines unsafe. Store removal alone does not explain the exact behavior, so the code analysis matters.
HackIndex examined one installed Chrome build, version 7.0.18. Its report describes a hidden pipeline that could collect visited hostnames, encrypt them, assign a persistent fingerprint, and send the data to api.stanfordstudies.com/app/log. However, a hard-coded empty browser allowlist stopped that pipeline in the analyzed build. The same investigation found no upload markers in the tested profile. That distinction matters: the capability was present, but active exfiltration was not observed there.
Which ModHeader version and IDs are involved?
| Browser clue | Identifier to compare |
|---|---|
| Chrome ModHeader, analyzed version 7.0.18 | idgpnmonknjnojddfkpgkljpfnnfcklj |
| Microsoft Edge ModHeader listing | opgbiafapkbbnbnjcdomjaghbckfkglc |
Open chrome://extensions or edge://extensions, enable developer details if necessary, and compare the full 32-character ID. A similar name is not enough. This warning also should not be applied automatically to unrelated Firefox add-ons or other header-testing extensions with different publishers and IDs.
Before deleting anything, note the browser profile, extension ID, version, permissions, and whether the browser says the item was installed by policy. Gridinsoft’s browser extension safety checklist explains why broad access can be legitimate for a developer tool while still creating serious privacy consequences when trust breaks.
What data may be at risk?
The dormant pipeline described in the analysis targeted hostnames, not full page paths, cookies, or page content. The report did not find credential theft or remote code execution in that upload path. It also found something separate that deserves attention: ModHeader’s local history feature had stored full HTTP request and response headers in the examined browser profile.
Headers can contain authorization tokens, session cookies, internal hostnames, API endpoints, and other developer or account context. The report says this header history stayed local on the tested system. Local-only storage is not the same as theft, but it raises the impact of profile access, backups, shared computers, and later malware. Developers who used ModHeader on staging panels, internal dashboards, cloud consoles, or production admin pages should treat the browser profile as potentially sensitive.
How to remove ModHeader from Chrome or Edge
- Leave the extension disabled. Do not use Developer mode to reload it and do not download an archived CRX or ZIP from a third-party extension database.
- Record the clues. Save the extension ID, version, browser profile name, permissions, and the wording of the warning. On a work-managed browser, contact the administrator before changing policy or profile files.
- Pause browser sync temporarily. This prevents another signed-in device or an old profile from restoring the extension while you clean it.
- Remove ModHeader in the browser UI. Use the Remove button on
chrome://extensionsoredge://extensions. - Close every browser process. Exit Chrome or Edge completely and verify in Task Manager or Activity Monitor that background browser processes have stopped.
- Remove only the ID-specific residual storage. Use the paths below. Do not delete the entire browser profile.
- Restart the browser and recheck extensions. If ModHeader returns, keep sync paused and follow the returning browser extension cleanup guide for policy, sync, app, startup, and scheduled-task checks.
Remove residual ModHeader browser storage
Back up the profile before editing it, and replace <Profile> with the affected folder such as Default or Profile 1. Delete only folders whose name contains the exact ModHeader extension ID.
For Chrome on Windows, start under:
%LOCALAPPDATA%\Google\Chrome\User Data\<Profile>
For Edge on Windows, start under:
%LOCALAPPDATA%\Microsoft\Edge\User Data\<Profile>
Check these profile subfolders for the matching ID:
Extensions\<extension-ID>Local Extension Settings\<extension-ID>Sync Extension Settings\<extension-ID>Managed Extension Settings\<extension-ID>IndexedDB\chrome-extension_<extension-ID>_0.indexeddb.leveldb
On macOS, the analyzed Chrome profile was under ~/Library/Application Support/Google/Chrome/<Profile>. The same rule applies: close the browser, keep a backup, and remove only the exact ID-specific extension and storage entries. Do not wipe all IndexedDB or the whole profile unless you intentionally want a full browser reset.
Should you change passwords or revoke sessions?
Do not assume that every password was stolen. The analyzed pipeline collected hostnames and was dormant, while the local header history remained on disk. Use a risk-based response:
- Higher priority: you used the affected profile for email administration, cloud consoles, source control, CI/CD, corporate SSO, finance, crypto, password management, or production dashboards.
- Higher priority: another person or malware had access to the browser profile, the computer was shared, or profile folders were copied into support bundles or backups.
- Lower priority: ModHeader was installed but disabled, you did not use sensitive signed-in sites in that profile, and there are no other compromise indicators.
For higher-risk profiles, sign out active sessions and rotate important credentials from a clean browser or device. Start with email and identity-provider accounts because they can reset other accounts. Developers should also revoke exposed API tokens, personal access tokens, and test credentials that may have appeared in request headers. Removing the extension does not invalidate an already copied token.
This response is narrower than a confirmed credential-stealing campaign such as StegoAd’s malicious Edge extensions. The evidence for ModHeader 7.0.18 does not establish active cookie or password theft, so avoid panic-driven resets on the same untrusted browser.
When a Windows malware scan is useful
A browser extension can usually be removed without treating the whole PC as infected. A full system check becomes important when ModHeader came with an unknown installer, other extensions appeared without consent, ads or redirects continue, browser policy forces the item back, or you find unfamiliar startup entries, scheduled tasks, services, proxy changes, or downloaded files.
In those cases, removing the visible extension may leave a bundled app, policy, scheduled task, or startup component that restores browser changes. Gridinsoft Anti-Malware can check the Windows system for detections, hidden files, installed bundles, startup entries, scheduled tasks, browser changes, and persistence. It cannot prove that no data was exposed or restore a session token that has already left the device.
If redirects, notifications, extensions, homepage changes, or managed policies return after browser cleanup, the source is often outside the browser: an installed app, policy, scheduled task, or startup entry.
Scan for browser-extension leftoversHow to choose a replacement header tool
Do not replace ModHeader by installing the first alternative promoted in a forum thread. Header tools often need broad access by design, so compare the publisher, source code, update history, permissions, privacy policy, and external connections. Prefer a tool that can limit access to specific test domains and store profiles locally. Remove it when the testing task ends, and never keep production authorization headers in a shared browser profile.
For teams, a separate testing browser profile with no personal accounts is safer than running a header-modification extension beside daily email, finance, and admin sessions. Document the approved extension ID and version so an unexpected publisher or update change is easier to detect.
FAQ
Did ModHeader 7.0.18 upload browsing history?
The independent analysis found code capable of collecting and uploading visited hostnames, but a hard-coded empty allowlist kept the collector dormant in the examined build. The researcher found no upload evidence on the tested profile. That does not prove what happened on every device or future build.
Can I safely re-enable ModHeader?
Not while Chrome or Edge treats the listing as unsafe or unavailable and there is no clear, independently verified resolution. Leave it disabled, remove it, and do not sideload an archived package.
Does removing ModHeader delete its stored headers?
Not necessarily. Browser extension storage can remain after the listing is removed or the extension is disabled. Close the browser and check only the ID-specific profile folders listed above.
Do I need to reinstall Windows?
Not for the extension warning alone. Consider deeper system cleanup only when there are other indicators such as an unknown installer, recurring extensions, forced policy, startup persistence, downloads, or continued ads and redirects.
References
- HackIndex Research. “ModHeader Malware: Inside the Chrome Spyware Google Removed.” HackIndex, accessed July 10, 2026. https://hackindex.io/research/modheader-malware-chrome-spyware
- Google Chrome Web Store Help. “Manage Extensions Disabled by Chrome.” Google, accessed July 10, 2026. https://support.google.com/chrome_webstore/answer/2811969?hl=en
- Google Chrome Web Store. “ModHeader – Modify HTTP Headers,” extension ID
idgpnmonknjnojddfkpgkljpfnnfcklj, accessed July 10, 2026. https://chromewebstore.google.com/detail/modheader-modify-http-hea/idgpnmonknjnojddfkpgkljpfnnfcklj

