Annex Security

That extension that looks fine? Attackers use this one simple trick to slip malware into your marchine.

A Chrome extension with 7,000 users and a Google Featured badge was recently sold, weaponized, and pushed a malicious update to that executed code through a hidden pixel. Here's how it worked 👇

🧨 New CrashFix techniques found in browser extensions. "Pixel Shield" — a fully functional ad blocker (4.7 stars, 561 users) because it is a uBlock Origin clone. Hidden inside: a "Promise Bomb" that creates 10 MILLION unresolvable promises to crash your browser on command.

This report contains 287 browser extensions tracking 37 million+ users. These were identified using methodology of sandboxing extensions, automatically browsing to URLs, and measuring a data ratio transferred. Real companies, fake services, well established, it's a mixed bag.

The next supply chain worm has been seeded in Open VSX. A cloned Angular extension with 5000 downloads has been available for two weeks and was updated with malware 6 days ago. This multi stage attack uses etherhiding, gcal c2, rust implants, and more. annex.security/blog/worms-lur…

Needless to say. If you aren’t using secureannex.com wyd????

RT @tuckner: Great work by the Obsidian Security team exfiltrating ChatGPT API keys to Telegram. I heard there's more to come! https://t.c…

Think browser extensions are just PUPs? Here are the real impacts.

I also used @secureannex and @IceSolst's @CRXaminer when I was analyzing it originally. Both very helpful tools! app.secureannex.com/extensions/sea… crxaminer.tech/scan/cpcdkmjdd…

A browser extension with over a million users is poaching the prompts of leading AI chat tools. SimilarWeb loads obfuscated remote configuration to collect the prompts, responses and metadata of your conversations. Your private thoughts are analytics companies gain. secureannex.com/blog/prompt-po…

We’ve identified a security incident affecting Trust Wallet Browser Extension version 2.68 only. Users with Browser Extension 2.68 should disable and upgrade to 2.69. Please refer to the official Chrome Webstore link here: chrome.google.com/webstore/detai… Please note: Mobile-only users and all other browser extension versions are not impacted. We understand how concerning this is and our team is actively working on the issue. We’ll keep sharing updates as soon as possible.

Glassworm malware returns in third wave of malicious VS Code packages - @billtoulas bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

Glassworm's resurgence | by @secureannex @tuckner "we've identified and tracked an unprecedented 23 extensions which copy other popular extensions, update after publishing with malware, manipulate download counts, and use KNOWN attack signatures which have been in use for months" secureannex.com/blog/glassworm…

Glassworm returned in a big way during the holiday. We're tracking 23 code extensions across the VS Marketplace and Open VSX which copy popular extensions, evade filters, manipulate their download counts, and then update with sinister malware. secureannex.com/blog/glassworm…

The extension was approved, now what? Are you going back tomorrow to see if it changed? You know they auto update instantly right? Rolling out to Secure Annex - code change alerts. This takes comparison of the code from the previous version along with additional context to understand how the code in an extension is changing over time.

A brand new unlisted extension with 100,000 users? 41 ratings? Must be really valuable. Nope - completely manipulated stats and it doesn't even contain real code. It exists only to collect your searches and earn Bing Rewards.

We've found code extensions openly call themselves malware in the VS Code marketplace recently and now browser extensions posing as known malicious remote access tools to the Chrome Web Store. What gives?

A @code (VS Code) extension with ransomware capabilities, believed to be “vibe coded” using generative AI, was discovered in the official Visual Studio Marketplace, according to @secureannex. #cybersecurity #CISO #AI #infosec bit.ly/49eOdIq

Another edition of "Guess the right solidity". Two of these will compromise your machine the moment you hit install.

Powerful new Detections are added to Secure Annex. These are already catching subtle exploits like unicode extension names that evade other filters, manipulated download counts, and combinations of suspicious signatures in code.