It appears that some of the extensions in your block list originate from a supply chain attack which compromised some extensions, but which have since been fixed and are no longer compromised and have returned the Chrome store. This post discusses matching both the ID and version to detect compromised extensions without creating false positives.
For example, only v4.00 of Bookmark Favicon Changer was compromised. Earlier and later versions are clean.
Nice work. One thing I've noticed with locally checking extensions against threat lists is that the verification process itself can become a target. Stateless, deterministic verification — where hashes or IDs are derived on-device and never stored centrally — reduces risk of supply chain or server-side compromise. It’s a subtle design point, but it can prevent a malicious actor from using the verification system itself to exfiltrate data.
Great point. The current setup is exactly what you're describing, a fully local verification with no phone-home behavior.
The CLI/GUI tools I'm building read your locally installed extensions, extract their IDs, and check them against the CSV (which you can clone/download). No data leaves your machine during the scan.
The only "central" piece is the GitHub-hosted CSV itself, which is just a static file anyone can audit, fork, or host themselves. No API calls, no telemetry, no server lookups.
You're right that this design prevents the verification tool from becoming an attack vector. Even if my repo got compromised, worst case is a bad CSV, your local scan process stays isolated.
I'm also looking at surfacing critical permissions for locally installed extensions,things like "access to all websites," "read clipboard," etc. That way users can make informed decisions about what to keep based on what's actually authorized, even if an extension isn't in the malicious database yet.
It appears that some of the extensions in your block list originate from a supply chain attack which compromised some extensions, but which have since been fixed and are no longer compromised and have returned the Chrome store. This post discusses matching both the ID and version to detect compromised extensions without creating false positives.
For example, only v4.00 of Bookmark Favicon Changer was compromised. Earlier and later versions are clean.
https://www.elastic.co/blog/how-to-detect-malicious-browser-...
Nice work. One thing I've noticed with locally checking extensions against threat lists is that the verification process itself can become a target. Stateless, deterministic verification — where hashes or IDs are derived on-device and never stored centrally — reduces risk of supply chain or server-side compromise. It’s a subtle design point, but it can prevent a malicious actor from using the verification system itself to exfiltrate data.
Great point. The current setup is exactly what you're describing, a fully local verification with no phone-home behavior.
The CLI/GUI tools I'm building read your locally installed extensions, extract their IDs, and check them against the CSV (which you can clone/download). No data leaves your machine during the scan.
The only "central" piece is the GitHub-hosted CSV itself, which is just a static file anyone can audit, fork, or host themselves. No API calls, no telemetry, no server lookups.
You're right that this design prevents the verification tool from becoming an attack vector. Even if my repo got compromised, worst case is a bad CSV, your local scan process stays isolated.
I'm also looking at surfacing critical permissions for locally installed extensions,things like "access to all websites," "read clipboard," etc. That way users can make informed decisions about what to keep based on what's actually authorized, even if an extension isn't in the malicious database yet.
Appreciate the security-minded feedback.
Super cool. Brave support by any chance? Using Linux, it found my Chrome, but thats not my primary browser.
Yes i'm working on it
Super cool, I hope this gets the attention it deserves!
Could Firefox extensions be included?
Working on it :)