Wladimir Palant@WPalant@infosec.exchange
Published a new article: Malicious extensions circumvent Googleβs remote code ban
https://palant.info/2025/01/20/malicious-extensions-circumvent-googles-remote-code-ban/
Looking at 60 malicious extensions belonging to three groups here, still running remote code despite Google banning it in Manifest V3. βFunβ fact: some of these extensions have been featured on my blog in 2023, others on McAfeeβs in 2022.
Recurring pattern: downloading rules and adding them to declarativeNetRequest API. The abuse potential here is enormous, including injecting malicious scripts into websites.
Only one extension went for essentially a custom programming language, others settled with simpler approaches. Luckily for me because the latter allows better guesses about what this functionality is meant for. Spoiler: ads and affiliate fraud. Also: affiliate fraud and ads.