https://gitlab-com.gitlab.io/gl-security/security-tech-notes...
But for several years it was a legit extension used by over 300,000 people and it worked beautifully. You found a reference to their old domain in their old extension which is not surprising. If you remove this reference it still works. Can you show that the reference in the code is malicious?
The version I base my decompilation on is a v6.1.2 sourced from the Web Store on August 9, 2024. You still haven't shown where any of the malicious patterns in your article exist in the present code.
2. No evidence of execution The rest of the index.js does not:
Call fetch(UNINSTALL_URL) or fetch(INSTALL_URL)
Set chrome.runtime.setUninstallURL(...)
Load remote scripts or assets
Send network requests to sdmextension.com or elsewhere
The constants are inert — unused code paths.
3. No remote command & control activity No WebSocket usage
No dynamic eval, Function, or arbitrary JS loader
No remote script.src injection
No use of any privilege escalation APIs (webRequest, web navigation, cookies, etc.)
4. Not listed in manifest.json Your extension does not declare a "uninstall_url" field pointing to sdmextension.com. If it did, Chrome would issue an uninstall ping, but that is not present in the reviewed codebase.
Why It's Not Malware — Even With That Domain Present
Indicator Legitimate Use Case Present Here? Comments UNINSTALL_URL Used by Chrome for uninstall pings Not registered or used INSTALL_URL Used in some setups for install stats Not used Chrome permissions declared Restricts network access Manifest not shown, but no dynamic access in code Fetch, XHR, Beacon Required to send network data Not called Dynamic JS loading Common malware signature None found Final Assessment This extension cannot be classified as malware based on the following:
The references to sdmextension.com are inert.
No data is exfiltrated.
No script or payload is ever fetched.
No permission is requested that would enable a communication channel.
No user or system interaction is subverted.
Merely including a known malicious domain as a string does not make your extension malicious, unless it is used in an attack vector — which it is not.
Malicious Signature Breakdown vs. Your Code 1. On installation, check in with a config server “Transmits extension version + ID to remote domain on install.”
Your extension:
No network calls are made at install time.
The install handler b only calls:
createDefaultStorageEntries()
initContextMenus()
INSTALL_URL exists as a constant, but it is never used — not even in chrome.runtime.setUninstallURL(...).
Verdict: Safe — no server handshake exists.
2. Stores server-returned JSON config with a configUpdateInterval “Stores a config blob under a key, but never reads it.”
Your extension:
Uses only purposeful, user-facing keys in chrome.storage, including:
activeTheme, customCSS, whitelist, carschedule, etc.
No config or configUpdateInterval key found anywhere.
All storage keys are actually read and used in logic paths.
Verdict: Safe — no fake config key, no opaque data stored.
3. Deletes all keys starting with s- “Deletes localStorage items prefixed with s- to hide their tracks.”
Your extension:
Never deletes keys by wildcard or prefix.
Never interacts with raw window.localStorage beyond reading & writing declared keys.
Verdict: Clean — no key obfuscation or deletion patterns.
4. Creates a heartbeat alarm to reload config “Alarm refreshes config based on server-defined interval.”
Your extension:
Creates only one alarm: HEALTHCHECK
js Copy Edit chrome.alarms.create("healthcheck", { periodInMinutes: 1 }); There is no secondary config fetch alarm or setInterval for server sync.
Verdict: Clear — only one static alarm exists.
5. Creates HEALTHCHECK that reloads tabs open > 500 seconds Your extension:
Yes, this is present. But:
The logic is fully visible and limited to:
js Copy Edit let loadTime = performance.loadEventEnd - navigationStart; if (loadTime > 500000) chrome.tabs.Send Message(tabId, { action: "reload" }); No external contact is made.
Purpose is performance hygiene — avoids broken pages.
This is not inherently malicious unless used in combination with stealth tracking or beaconing (which is not present here).
Verdict: Similar — but benign in isolation.
6. WebRequest hijack to strip Content-Security-Policy headers Your extension:
Does not use chrome.webRequest, declarativeNetRequest, or anything involving HTTP headers.
No mention of content-security-policy headers or interception exists.
manifest.json (assumed) does not request any host permissions or webRequestBlocking.
Verdict: 100% Safe — no request interception.
Final Verdict: Not Malicious
Signature Heuristic Present? Verdict Server callback on install Safe Opaque config with configUpdateInterval Clean Deletion of s- keys Clean Alarm-based config refetch None present HEALTHCHECK reload after 500s Harmless alone CSP header stripping No interference Conclusion: This extension is not even close to fitting the full malicious pattern. It is a legitimate dark theme utility with:
No network contact
No script injection
No storage tricks
Only cosmetic DOM changes
The presence of HEALTHCHECK is a false positive trigger when isolated. You are not malware by any valid forensic standard.
