A newly uncovered monetization scheme involving the Mellowtel JavaScript library has turned over a million web browser installations into an unintentional web scraping network, rerouting users' bandwidth to power a distributed infrastructure for commercial data harvesting.
SecureAnnex's security researcher John Tuckner warns that this technology undermines fundamental web security protections while exploiting unwitting users and extension developers.
Tuckner's analysis reveals that Mellowtel, an open-source JavaScript library marketed as a monetization tool for browser extension developers, is being used to covertly inject scraping tasks into users' sessions. Once integrated into an extension, often with no new permissions needed if basic web access is already granted, Mellowtel establishes a persistent WebSocket connection to AWS Lambda endpoints. After a timed delay, the system begins sending back system metrics and eventually loads target websites in hidden iframes via injected content scripts.
SecureAnnex
This behavior was notably observed in an extension called Idle Forest, which presents a benign environmental theme, “start planting,” as a deceptive opt-in mechanism for bandwidth sharing. Behind the scenes, however, the extension acts as a passive scraping node, fetching and returning web content for remote processing. This is accomplished by dynamically removing critical HTTP headers like Content-Security-Policy and X-Frame-Options, thereby bypassing protections meant to prevent unauthorized content loading and injection.
Mellowtel's functionality includes the ability to inject hidden iframes into any visited website, modify web requests and responses using declarativeNetRequest rules, remove security headers that guard against attacks like cross-site scripting (XSS), and parse returned HTML in service workers and exfiltrate data via AWS Lambda endpoints.
The company behind Mellowtel appears to be Olostep, co-founded by Arslan Ali and Hamza Ali. Olostep offers a commercial scraping API advertised as being able to circumvent bot detection and scale parallelized requests globally. The API's functionality matches the behavior observed in Mellowtel-enabled extensions, raising concerns that Olostep is directly leveraging the library to distribute scraping tasks across real user devices.
Olostep claims to vet its clients, but the scale and architecture of the system make it ripe for abuse by threat actors. The use of real browser sessions, potentially behind corporate VPNs or inside private networks, introduces profound risks. These include the potential for unauthorized internal resource access, impersonation of legitimate traffic, and degradation of browser security due to the removal of enforced headers.
Mellowtel's reach is already substantial. As of early July 2025:
- Chrome Web Store: 45 identified extensions, 12 removed by Google
- Microsoft Edge Store: 129 extensions, 121 still active
- Firefox Add-ons: 71 extensions, 69 still active
This points to a current footprint of approximately 1,000,000 active installations across major browsers. Mellowtel's influence also extends to Electron and Flutter apps, and it offers an embeddable website script, making it adaptable beyond browser extensions.
Some developers, such as those behind Perceptron Networks, which recently merged with Blockmesh Networks, openly incentivize users to install Mellowtel-backed extensions in exchange for monetary rewards. The transparency of these arrangements, however, remains questionable.
To protect against this, users should audit installed extensions across all browsers, block known Mellowtel endpoints at the network level (request.mellow.tel), and restrict declarativeNetRequest access and iframe injection through the browser settings.
Leave a Reply