HackerTrans
TopNewTrendsCommentsPastAskShowJobs

toborrm9

no profile record

Submissions

[untitled]

1 points·by toborrm9·27 วันที่ผ่านมา·0 comments

[untitled]

1 points·by toborrm9·28 วันที่ผ่านมา·0 comments

Show HN: SearchJack – 23 extensions, 758K users, 8 search monetization brokers

malext.io
1 points·by toborrm9·เดือนที่แล้ว·0 comments

[untitled]

1 points·by toborrm9·2 เดือนที่ผ่านมา·0 comments

Show HN: Malext.io is out – Database of malicious Chrome extensions

malext.io
1 points·by toborrm9·3 เดือนที่ผ่านมา·0 comments

Show HN: Audit the browser for malicious extensions removed from Chrome Store

chromewebstore.google.com
2 points·by toborrm9·3 เดือนที่ผ่านมา·0 comments

[untitled]

1 points·by toborrm9·3 เดือนที่ผ่านมา·0 comments

Show HN: Malicious Extension Sentry: database of removed Chrome/Edge extensions

2 points·by toborrm9·4 เดือนที่ผ่านมา·0 comments

Discovered a malicious Chrome extension targeting Apple App Store developers

blog.toborrm.com
3 points·by toborrm9·5 เดือนที่ผ่านมา·1 comments

Show HN: Daily-updated database of malicious browser extensions

github.com
17 points·by toborrm9·5 เดือนที่ผ่านมา·8 comments

comments

toborrm9
·3 เดือนที่ผ่านมา·discuss
Malicious Chrome extensions don't always get removed from the Web Store right away and I couldn't find a maintained list of malicious ones so I built this open source tool!

GitHub: https://github.com/toborrm9/malicious_extension_sentry Extension: https://chromewebstore.google.com/detail/malext-sentry/bpohi...
toborrm9
·5 เดือนที่ผ่านมา·discuss
Yes i'm working on it
toborrm9
·5 เดือนที่ผ่านมา·discuss
Working on it :)
toborrm9
·5 เดือนที่ผ่านมา·discuss
Great point. The current setup is exactly what you're describing, a fully local verification with no phone-home behavior.

The CLI/GUI tools I'm building read your locally installed extensions, extract their IDs, and check them against the CSV (which you can clone/download). No data leaves your machine during the scan.

The only "central" piece is the GitHub-hosted CSV itself, which is just a static file anyone can audit, fork, or host themselves. No API calls, no telemetry, no server lookups.

You're right that this design prevents the verification tool from becoming an attack vector. Even if my repo got compromised, worst case is a bad CSV, your local scan process stays isolated.

I'm also looking at surfacing critical permissions for locally installed extensions,things like "access to all websites," "read clipboard," etc. That way users can make informed decisions about what to keep based on what's actually authorized, even if an extension isn't in the malicious database yet.

Appreciate the security-minded feedback.