I came to the article hoping to see the list of affected extensions, so I can check if I ever installed any of them. All I get was a list of extension ID at the very bottom of the post. Is this some sort of security practice to not promoting malicious packages or something?
The WeTab / Infinity team has responded to this [1] (in Chinese). Basically, they argue that:
- The Clean Master extension has long been sold, and the malicious updated was not pushed by them.
- The other two mentioned extensions are not at all malicious. They collect use info for extension opt-out-able features and analytics (using Google Analytics and Baidu Analytics).
- They are communicating with the extension stores to restore their extension.
Let's hope it's not an AI company making AI-generated accusations.
The first point isn't meaningful from a user's perspective.
There's no difference between me trusting you and you pushing malware to me vs you selling your deploy access to a third party and the third party pushing malware to me.
Especially if selling the extension doesn't remove the old one from the browser automatically and reset it's rating to 0, download count to 0 and remove all the comments/reviews.
The builtin JavaScript interpreter is such a devious touch. No one blinks an eye at several MBs of extension data. That’s plenty of room to store arbitrary runtimes in, and then all the default browser runtime protections are pointless.
The runtime protections aren’t pointless. The interpreter makes it difficult to inspect the malicious code during execution, but it doesn’t circumvent any sandboxing of the browser.
Browser extensions are a fascinating attack vector because users grant them extraordinary privileges without understanding the risk. The 7-year persistence here is notable - malware that stays undetected that long usually means good operational security and slow, careful changes that don't trigger alarms.
I came to the article hoping to see the list of affected extensions, so I can check if I ever installed any of them. All I get was a list of extension ID at the very bottom of the post. Is this some sort of security practice to not promoting malicious packages or something?
you can search your file system for those extension id's , it will be a directory name.
Its more about the likely target audience: i can scan the whole enterprise and activate blocks with those ids.
Painful read, this reads like it was written by AI.
Seems to be company policy. They had another article here recently that was just as bad: https://news.ycombinator.com/item?id=45647853
simple human written summary: https://www.theregister.com/2025/12/01/chrome_edge_malicious...
The line is becoming very blurred to me, I did not really notice.
I flag posts like this.
Kept feeling like it was about to say something interesting, but by half way through nothing else was said
The WeTab / Infinity team has responded to this [1] (in Chinese). Basically, they argue that:
- The Clean Master extension has long been sold, and the malicious updated was not pushed by them.
- The other two mentioned extensions are not at all malicious. They collect use info for extension opt-out-able features and analytics (using Google Analytics and Baidu Analytics).
- They are communicating with the extension stores to restore their extension.
Let's hope it's not an AI company making AI-generated accusations.
[1] https://mp.weixin.qq.com/s/E8YQLWZFM2J7r5DZNSl47w & https://www.v2ex.com/t/1176484
The first point isn't meaningful from a user's perspective.
There's no difference between me trusting you and you pushing malware to me vs you selling your deploy access to a third party and the third party pushing malware to me.
Especially if selling the extension doesn't remove the old one from the browser automatically and reset it's rating to 0, download count to 0 and remove all the comments/reviews.
The builtin JavaScript interpreter is such a devious touch. No one blinks an eye at several MBs of extension data. That’s plenty of room to store arbitrary runtimes in, and then all the default browser runtime protections are pointless.
The runtime protections aren’t pointless. The interpreter makes it difficult to inspect the malicious code during execution, but it doesn’t circumvent any sandboxing of the browser.
Browser extensions are a fascinating attack vector because users grant them extraordinary privileges without understanding the risk. The 7-year persistence here is notable - malware that stays undetected that long usually means good operational security and slow, careful changes that don't trigger alarms.
Can you please stop with the LLM comments? Thank you.