The extension logic remains exactly the same however. The extensions using the Day.js variant are newer, and the code has been obfuscated more thoroughly here. The WebExtension Polyfill variant appears to be older: the extensions using it usually had their latest release end of 2021 or early in 2022. It downloads data from and stores the mangled timestamp in localStorage.locale.īoth variants keep the code of the original module, the malicious code has been added on top. The second variant masquerades as Day.js library.The “config” download address is, and the mangled timestamp preventing downloads within the first 24 hours is localStorage.polyfill. First variant masquerades as Mozilla’s WebExtension browser API Polyfill.
#Microsoft edge dark mode pdf pdf
I couldn’t find any other extension using the same code as PDF Toolbox, but the two variants I discovered now are very similar. There is a detailed discussion of the malicious code in my previous article. It’s based on a sample of roughly 1,600 extensions that I have locally, not all the Chrome Web Store contents. Note that this list is unlikely to be complete. These eight extensions are considerably different from the rest, so I published a follow-up blog post discussing the technical aspects here.
#Microsoft edge dark mode pdf update
Update (): All but eight of these extensions have been removed from Chrome Web Store. So now we are at 34 malicious extensions and 87 million users.
With his help I was able to identify yet another variant of this malicious code and a bunch more malicious extensions.
Also, Lukas Andersson did some research into manipulated extension ratings in Chrome Web Store and pointed out that other extensions exhibited similar patterns in their review. Update (): With an increased sample I was able to find some more extensions. The most popular of these extensions are Autoskip for Youtube, Crystal Ad block and Brisk VPN: nine, six and five million users respectively. So now we are at 18 malicious extensions with a combined user count of 55 million. And I found more extensions in Chrome Web Store which are using it. I checked it out and found two other versions of the same malicious code. It even gained a considerable number of users after I published my article.Ī reader tipped me off however that the Zoom Plus extension also makes a request to serasearchtopcom. Despite reporting the issue to Google via two different channels, the extension remains online. Two weeks ago I wrote about the PDF Toolbox extension containing obfuscated malicious code.
0 kommentar(er)
