A recent security review has revealed that a substantial set of browser extensions—across Chrome, Firefox, and Edge—has quietly altered how browsers handle web content, turning normal user sessions into a distributed network for website scraping. The finding involves 245 extensions with nearly 909,000 downloads, developed for a variety of everyday tasks such as managing bookmarks, controlling clipboards, boosting audio output, and generating random numbers. What ties these extensions together is their inclusion of a common open-source JavaScript library called MellowTel-JS, which is designed to monetize the extension ecosystem by leveraging users’ browsing activity and bandwidth. The implications are serious: a monetization model that may quietly redirect browser behavior and expose users to new security and privacy risks, potentially affecting individual users and enterprise networks alike.
Scope of the finding: extensions, downloads, and monetization through MellowTel
The discovery centers on a cohort of 245 browser extensions that have been made available for Chrome, Firefox, and Edge. Together, these extensions have accumulated close to one million downloads, signaling a broad reach across the installed base of users. The reported functions of these extensions vary widely—from practical utilities like bookmark and clipboard management to enhancements for media playback and even random number generation. The unifying feature linking these seemingly disparate tools is their integration of MellowTel-JS, an open-source library that developers can embed within their extensions to monetize traffic and bandwidth.
The basic premise, as described by the researcher who performed the analysis, is that the MellowTel library is used to facilitate monetized traffic by distributing user requests to a pool of participating browsers. Paying customers—ranging from advertisers to data aggregators—specify the destinations or websites they want to access. The library then uses the extension’s already-installed user base to fulfill those requests. In effect, the browser extensions function as a pool of load-bearing agents that can access chosen endpoints on the internet, ostensibly on behalf of the paying client. This model allows the library and its developer ecosystem to generate revenue while leveraging the end users’ normal browsing sessions, ostensibly without requiring additional software installation beyond the extension itself.
From the developer’s perspective, revenue is split with MellowTel taking a substantial share. The publicly stated arrangement is that extension developers receive roughly 55 percent of the revenue generated, with MellowTel retaining the remainder. This financial structure is a core part of the incentive for developers to participate, as it promises ongoing income tied to user engagement and traffic. The monetization narrative is framed by proponents as a more efficient means of accessing publicly available data from websites in a cost-effective manner. Yet critics and researchers contend that the model relies on weakening or bypassing standard browser protections, raising concerns about user consent, transparency, and the potential exposure of sensitive browsing activity.
The findings also highlight a critical link to a separate company named Olostep, which describes itself as offering a “world’s most reliable and cost-effective Web scraping API.” Olostep positions its service as capable of avoiding typical bot-detection mechanisms and can parallelize an enormous number of requests in a short period of time. The arrangement appears to function in concert with MellowTel: paying customers supply the specific browser locations to access targeted web pages, and Olostep leverages the installed base of MellowTel-enabled extensions to fulfill those requests. This triad—MellowTel as the library integrated into extensions, Olostep as the data-access layer, and the paying customers as beneficiaries—forms the core orchestration behind the reported scraping activity.
What the researcher observed after a careful review of the MellowTel codebase was a strong suggestion that the scraping requests from Olostep could be distributed to any active extension that has integrated the MellowTel library. In other words, the library’s distributed architecture enables the monetization framework to scale across a broad set of endpoints by piggybacking on the existing user-installed extensions. The practical upshot is that the consumer’s browser, which was installed to perform routine tasks, could be harnessed to retrieve publicly available data from multiple websites—potentially in a way that users neither anticipated nor could directly control.
The network implications of this arrangement extend beyond mere data collection. MellowTel’s approach involves dynamic interactions that affect how a browser loads and renders pages. The library’s presence in an extension means it can alter how requests are issued, which sites are loaded, and how responses are processed. This has the potential to impact page load times, user experience, and the integrity of the content being displayed. It also raises questions about the boundaries of permission-based access in a browser ecosystem that relies on user consent and clearly defined security models to prevent unauthorized data access and manipulation.
How the technology reshapes browser behavior: the underlying architecture and permissions
Central to this development is the technical architecture that enables MellowTel to function within the browser environment. The library is embedded in extensions and interacts with the browser’s event model and networking stack. At the core is a permission model that extensions already rely on, particularly the ability to modify web requests and responses as they occur. This level of control is facilitated by a mechanism often described in extension manifests as declarativeNetRequest. In practice, slots in the extension’s manifest declare the kinds of network events the extension is allowed to observe or modify. When the MellowTel library is present, these permissions can be leveraged to alter how a web page is fetched, how its content is delivered, and how security headers are applied by servers in response to those requests.
Researchers point out that the library reportedly requests access to modifications that enable the dynamic removal of security headers on web responses, with the explicit intent of reinserting them after the page has loaded. This kind of runtime alteration has the potential to weaken the browser’s defensive posture, thereby exposing the user to a broader array of vulnerabilities, including cross-site scripting and other injection-based attacks that would ordinarily be mitigated by robust header policies. The practical effect is that, while a user is interacting with a familiar site, the underlying requests could be guided in ways that bypass standard protections, enabling a broader attack surface for attackers who can tap into the authorized extension environment.
Additionally, the architecture includes a real-time communication channel via a websocket connection to an Amazon Web Services (AWS) server. This connection is described as transmitting essential telemetry data about the extension user’s environment—such as the user’s approximate location, available bandwidth, periodic heartbeat signals, and status indicators. The existence of this continuous telemetry channel has implications for user privacy, since it means a central server can accumulate ongoing runtimes and performance metrics from a wide array of browsers across the user base. When combined with the iframe injection mechanism, the network layer becomes a conduit through which a hidden layer of content can load within the user’s current browsing session without their explicit awareness.
The iframe injection component is particularly critical to understanding the potential risk. The library, via the AWS-provisioned control plane, can direct the extension to surface a hidden iframe within the user’s current page. This iframe can point to a curated list of websites, effectively loading additional content in the background and outside the visible portion of the user’s browsing context. Because the iframe is injected into the user’s active page, it can be challenging for users to discern what content is being opened, which websites are being loaded, and how those sites are being used in the broader scraping operation. The combination of a live webhook-based control plan, dynamic header manipulation, and covert iframe loading creates a complex threat surface that blends legitimate extension functionality with covert data access and potential data exfiltration.
On the developer side, MellowTel’s model emphasizes a revenue-share arrangement and a philosophy of leveraging bandwidth rather than collecting personally identifiable data directly through affiliate links or intrusive ad networks. The founder has described the library’s aims as a way to harness user bandwidth for paying customers while avoiding the clutter of tracking pixels and personally identifiable data. However, the practical reality cited by researchers is that the library’s permission model and network behavior can create an environment in which browsing protections become more malleable and less predictable. The tension between legitimate data access for public information and the risk of leaking or exposing sensitive user data is at the heart of the security debate surrounding these extensions.
In terms of access control and user transparency, there is an essential concern about whether ordinary end users can reliably tell which sites their extensions are opening or loading in the background. The hidden iframe mechanism and the potential manipulation of security headers make it difficult for users to determine what is happening behind the scenes. The risk is amplified in enterprise environments where IT teams implement strict policies governing which scripts and code can run within corporate browsers and networks. If a widely deployed extension stack includes a library that can modify requests and inject hidden content, it can undermine the security posture that organizations have painstakingly established to protect sensitive data, internal communications, and intellectual property.
From a regulatory and ethical standpoint, the situation underscores a growing need for greater transparency in extension governance, especially for libraries that serve monetization purposes. The broader concern is whether the benefits of monetization via such extensions outweigh the potential safety tradeoffs for users. On one hand, the revenue model could complement open-source development and drive innovation in browser tools. On the other hand, the potential for misuse—whether intentional or inadvertent due to misconfiguration—could erode trust in a thriving extension ecosystem and prompt calls for stricter review processes, clearer disclosure of permissions, and stronger containment of what extensions can and cannot do in a browser’s security architecture.
In sum, the technology stack underpinning these extensions demonstrates how a monetization-centric library can operate within the standard extension permission model while quietly reconfiguring the browser’s behavior. The practical implications touch on user privacy, data security, and enterprise risk, calling for a careful balancing act between enabling beneficial extensions and maintaining robust protections that shield users from covert data access and security header manipulation. As researchers continue to monitor the ecosystem, the onus remains on developers to design with explicit transparency, and on platform vendors to enforce stringent controls that prevent abuse of extension permissions while preserving the flexibility that has made browser extensions a powerful tool for productivity and personalization.
Privacy and security implications for users
The core concern voiced by researchers is that users who install MellowTel-enabled extensions may be unwitting participants in a broader scraping operation that extends beyond the explicit utility promised by the extension’s description. The combination of a hidden websocket, a covert iframe, and the ability to modify web requests at runtime creates a multifaceted risk profile. First, the telemetry data being collected through the websocket includes user-level information that could be used to reconstruct browsing patterns, infer interests, and correlate activity across multiple sites. Even when a user believes they are simply managing bookmarks or adjusting audio settings, the underlying traffic and session metadata could be captured by the service operators and, in turn, made available to paying customers.
Second, there is the risk of content loading that users do not recognize or approve. The hidden iframe may point to a list of websites that the user did not intend to visit, or that the user would not have chosen to interact with under normal browsing conditions. The invisibility of this content makes it exceptionally challenging for users to observe or intervene, thereby increasing the likelihood that sensitive or restricted sites could be accessed through the extension’s network of fake or misrepresented page loads. This dynamic is particularly troubling in contexts where content is tightly regulated, such as corporate environments or certain regulatory domains, where unauthorized access to specific sites could trigger compliance flags or security incidents.
From a privacy standpoint, there is a twofold risk: first, the extension can facilitate the collection of non-sensitive data that is nonetheless valuable for profiling and monetization purposes; second, and more alarmingly, the combination of request modification and iframe injection could open vectors for injecting malicious payloads or for exfiltrating data to external servers. The library’s described purpose—sharing users’ bandwidth without embedding trackers or collecting personal data—appears to be at odds with the practical reality of traffic distribution to external endpoints and the potential to intercept or alter content during transmission. In effect, the extension ecosystem could be transforming everyday browsing into a form of covert data exchange with a third-party network, all under the guise of legitimate functionality.
Users may face degraded security postures as well. Web security headers such as Content-Security-Policy and X-Frame-Options are intended to shield pages from unauthorized content and framing. If an extension with MellowTel capabilities can dynamically modify these headers or the rules governing how content is framed, the web page’s defenses can be weakened mid-session. This erosion of protective measures can introduce opportunities for cross-site scripting or other content-based attacks that would usually be mitigated by proper header configurations. In practice, this could translate into a less predictable browsing experience, with legitimate sites inadvertently opened in contexts that expose unanticipated scripts or third-party content loaded through the extension’s control plane.
The privacy and security implications carry substantial weight for individual users who value control over their online activity. Even if a fraction of users opt into extensions under the assumption that the software simply helps with productivity, the reality of background scraping, bandwidth monetization, and dynamic header manipulation introduces a different risk profile that could compromise personal information, session integrity, and overall digital security. The broader industry impact is equally important: if millions of users are exposed to such risks, the potential for widespread privacy breaches and security incidents scales up dramatically, prompting discussions about safer extension design, more rigorous moderation, and stronger safeguards within browser ecosystems.
Enterprise and network security implications
The implications for businesses and organizational networks are particularly pronounced. Enterprise environments typically implement layered defenses designed to protect sensitive data, prevent data loss, and control the execution of third-party code. When a large family of browser extensions operates with a library that can alter network requests and load hidden content in sessions used for business tasks, it becomes a question of whether corporate security controls can reliably detect and mitigate such activity. The presence of a web-scraping capability that can be invoked from widely deployed extensions introduces an additional choke point in the network security model. It may blur lines of responsibility between individuals’ devices and the enterprise’s perimeter defenses, especially if employees use personal devices or bring-your-own-device policies allow broader extension installation.
From a risk management perspective, the possibility that enterprise networks could be used to access publicly available data through a distributed extension-based scraping operation is a concern for several reasons. First, the activity could consume significant network and computing resources, impacting performance and potentially triggering misuse alarms or rate-limiting on websites that are not intended to be accessed at scale. Second, the ability to bypass certain security protections via manipulated headers undermines the network’s hardening measures—a problem for security teams tasked with enforcing strict Content Security Policies, transport protections, and endpoint hardening. Third, if organizations permit extensions that load external content in the context of corporate pages, there is a real risk that sensitive corporate data could be exposed through hidden iframes or misconfigured requests, even if those pages themselves are not intended to access external resources. This risk extends to data leakage concerns, where business documents, internal communications, or dashboards could inadvertently be loaded or scraped in ways that bypass data loss prevention (DLP) controls.
Companies should conduct a thorough inventory and risk assessment of browser extensions deployed across their networks. That involves identifying which extensions rely on MellowTel or similar libraries, evaluating the permissions requested by each extension, and determining whether any of the extensions’ capabilities could be exploited to access or relay corporate data to third parties. It also means reviewing the network’s security posture to ensure that any dynamic request modifications do not undermine existing safeguards such as strict CSP, robust cross-origin protections, and careful session management. Security teams may consider implementing stricter controls around extension installation, applying whitelisting where feasible, and ensuring that enterprise devices operate within a controlled environment where the installation and execution of extensions are subject to centralized governance.
Beyond technical controls, governance considerations are paramount. Enterprises may need to update policy documents so that employees understand how browser extensions are evaluated, what kinds of data can be accessed or transmitted, and what constitutes acceptable use in a corporate context. Training and awareness programs can help users recognize when a tool might be acting in ways that deviate from the stated purpose, and incident response processes should be prepared to identify and remediate any extension-driven security events quickly. In addition, IT security teams might explore implementing endpoint security solutions capable of detecting anomalous extension behavior, particularly behaviors that involve unexpected changes to HTTP headers, the injection of iframes into pages, or the establishment of outbound connections to cloud services associated with scraping operations.
Another layer of enterprise risk pertains to regulatory compliance. If a business operates in regulated industries or jurisdictions with strict data-privacy rules, the presence of extension-driven scraping activities could put the organization at risk of non-compliance, particularly if any data accessed or scraped is subject to protection under laws governing personal data or trade secrets. The possibility that a large number of endpoints across the organization could participate in or enable scraping activities accentuates governance challenges and underscores the need for formal risk assessment and compliance review when selecting or deploying third-party browser extensions.
In essence, the enterprise landscape is particularly sensitive to these developments because the same mechanics that power user productivity tools can be repurposed in ways that complicate security and compliance. This underscores the importance of proactive governance, careful extension vetting, and the establishment of robust, defense-in-depth strategies to ensure that the benefits of browser extensions do not come at the expense of organizational security and integrity.
Historical context and current status: lessons from past exposures and the present landscape
The concerns surrounding MellowTel-enabled extensions echo earlier episodes in which browser extension ecosystems revealed significant privacy and security vulnerabilities. A notable precedent from the past involved an analysis that identified browser extensions installed on millions of devices that collected users’ every movement on the web and shared those observations with external customers. The operation highlighted how a combination of broad permissions, questionable data handling practices, and a lack of transparency could enable extensive data collection at scale. The fallout from that incident underscored the risks of relying on third-party extensions for essential browser functionality, especially when monetization or data access becomes a primary driver of extension behavior.
The parallel with earlier events emphasizes the importance of supporting a secure extension ecosystem through transparency, rigorous review processes, and accountability. In both cases, the risk arises not from a single extension or library but from the cumulative effect of many extensions coalescing around a monetization model that leverages users’ browsing activity. The historical lens also serves as a reminder that even if individual extensions claim to operate without collecting personal data or compromising user privacy, the aggregate behavior of a large extension network can still pose a substantial risk if the underlying architecture allows for covert data flows, dynamic request modifications, and cross-origin content loading.
The present update shows that the issue remains dynamic, with real-time changes in the extension landscape. In the reported status snapshot, the number of affected extensions varies by browser and by updates issued by extension authors. Across Chrome, a portion of known extensions has become inactive or were removed due to malware concerns, while other extensions have chosen to remove or replace the MellowTel library in more recent updates. Similar patterns are reflected in Edge and Firefox, where a subset of extensions that previously incorporated the library have transitioned to new configurations or ceased using the library altogether. These shifts illustrate the fluid nature of browser extension ecosystems and the ongoing need for continuous monitoring and rapid incident response when security concerns arise.
The broader takeaway from this history is clear: the browser extension ecosystem, while powerful and versatile, requires ongoing vigilance from researchers, platform vendors, developers, and users. Previous episodes demonstrated that once a security or privacy risk becomes visible at scale, it demands coordinated response—from security researchers publishing findings to platform owners enforcing stricter review processes and developers updating their code to remove risky dependencies. For users and organizations, this history reinforces the importance of adopting safer extension practices, conducting regular audits of installed addons, and prioritizing extensions that follow best practices for data minimization, explicit consent, and transparent disclosure of network activity.
Status updates and what’s changed: a snapshot of affected extensions across browsers
In the wake of the findings, the ecosystem is seeing tangible changes in the status of affected extensions. Among Chrome extensions, a portion—precisely a subset of the 45 known Chrome extensions—has become inactive. Some of these have been taken offline due to explicit malware concerns, while others have chosen to remove the MellowTel library from their codebase in subsequent updates. This reflects an active response by developers or platform maintainers to mitigate risk and align with evolving security expectations. In the Edge ecosystem, 129 extensions were identified as incorporating the MellowTel library, with eight of them currently inactive. For Firefox, out of 71 affected extensions, two are reported as inactive. The pattern across browsers indicates a concerted effort by developers to purge or replace potentially risky components, which is a positive signal for users who depend on safer extension environments.
The current status also includes a broader sense that some extensions remain in circulation, albeit with revised configurations that do not rely on the library, or that have modified the library’s integration to minimize risk. While the exact list of extensions and their current statuses may evolve with new updates, the documented trend demonstrates a recognition of risk and a willingness among some developers and platform operators to address it. This dynamic environment reinforces the importance for users to audit their installed extensions regularly, especially those that offer functionality that could intersect with web scraping, bandwidth monetization, or dynamic request manipulation.
For organizations, the implication is clear: maintain a rolling inventory of browser extensions in use, with a focus on those that solicit broad permissions or those that have dependencies on external code libraries. Establishing a routine to verify that extensions are up to date, that they do not embed web-scraping capabilities, and that they do not engage in behaviors that could undermine security headers or inject hidden content is essential. IT teams should also consider implementing controls that limit the deployment of extensions to those that have been vetted for security, privacy, and compliance with corporate policies.
Beyond the immediate status updates, the broader takeaway for the industry is that the ecosystem is capable of rapid adaptation. When concerns are raised, developers, platform owners, and researchers can coordinate to reduce risk by deactivating, removing, or reconfiguring risky components. The ongoing monitoring of extensions, the sharing of findings among researchers, and the deployment of mitigations by platform vendors all contribute to a more resilient and safer extension landscape. This ongoing effort is essential given the scale of extension usage and the potential for cross-browser impact when a single library or approach becomes widely adopted across multiple browsers.
Defensive guidance: how developers, users, and organizations can respond
To reduce the risk associated with such extensions and to safeguard user privacy and enterprise security, several actionable steps emerge for different stakeholders. For developers, the guidance centers on transparency and conservative permission usage. Extensions should minimize the scope of necessary permissions and clearly disclose the purpose of any network-related capabilities. If a library like MellowTel is employed, its data flows and endpoints should be auditable, and users should be informed about how data is collected, stored, and used for monetization. Importantly, any integration that modifies security headers or injects content into a page should be avoided unless there is a clear, user-consented rationale and robust controls to prevent abuse. Documentation should explicitly state what endpoints are fetched, what data is transmitted, and what safeguards exist to prevent data leakage or unauthorized access.
For platform vendors and security teams, enforcement and governance are critical. Strengthening extension review processes to detect library dependencies that enable automated scraping or that alter security headers would help mitigate risk. Implementing stricter default permissions, and encouraging or requiring developers to demonstrate safe integration practices, can foster a healthier ecosystem. Platform operators might also consider adding runtime monitors that detect anomalous extension behavior—such as unexpected network requests, unusual header modifications, or unexpected iframe injections—so that suspicious activity can be flagged and investigated promptly. In addition, a more explicit and user-friendly disclosure about third-party data handling in extensions would help users make informed choices about the tools they install.
For users and organizations, practical precautions can significantly reduce exposure. Users should be selective about the extensions they install, prioritizing those with strong reputations, transparent data practices, and clear permission disclosures. Regularly auditing installed extensions, disabling or removing those that are unnecessary or suspicious, and keeping all software up to date are foundational steps. Enterprises, in particular, should implement governance over extension deployment, through controlled enterprise app stores, pre-approved extension catalogs, and centralized enforcement of security and privacy policies. In corporate environments, IT teams can enforce restrictions that prevent the installation of extensions with broad or ambiguous permissions, or that they do not vet against known risk patterns.
From a broader perspective, the incident underscores the importance of ongoing scrutiny of extension ecosystems and the need to evolve defense strategies. Researchers and security professionals should continue to analyze extension libraries for patterns that could undermine browser security and user privacy. Policymakers and industry groups may also consider establishing guidelines for responsible monetization in extension development, including requirements for clear disclosure of data use, robust data minimization practices, and standardized reporting mechanisms for security incidents involving extensions. The collaboration among researchers, developers, platform owners, and users is essential to ensure that the benefits of browser extensions—productivity, customization, and enhanced functionality—do not come at the cost of user privacy, security, or enterprise integrity.
Conclusion
The discovery of nearly 1 million devices affected by a monetization-driven extension ecosystem that leverages MellowTel-JS to facilitate web scraping underscores a critical tension in modern browser security. On one hand, extensions empower users by extending functionality and enhancing productivity; on the other hand, a subset of these tools can quietly manipulate network behavior, load covert content, and expose users to privacy risks and security vulnerabilities. The involvement of a prominent scraping service and the use of dynamic header manipulation and background content loading illustrate how a legitimate-seeming utility can become part of a larger, potentially harmful data flow. The swift status changes across Chrome, Edge, and Firefox—where some extensions have been deactivated or have removed the library—signal a responsive ecosystem that is capable of addressing these concerns when confronted with credible risk analysis.
For individuals, workers, and organizations alike, the prudent path forward is to treat extension usage as a governance issue rather than simply a convenience feature. A combination of informed consent, transparent data practices, strict permission controls, and proactive security monitoring can help preserve the value of extensions while mitigating exposure to scraping, data leakage, and security header manipulation. As the browser landscape continues to evolve, stakeholders must maintain vigilance, enforce safer development practices, and promote a culture of transparency to ensure that the expansion of browser capabilities does not outpace the safeguards designed to protect users, their data, and the integrity of enterprise networks.
