10M+ Installs: Featured Chrome Extension with Dormant JS Injection Capability
Just caught the analysis from Island regarding the "Adblock for YouTube" extension. It’s alarming that despite having over 10 million installs and a 'Featured' badge on the Chrome Web Store, this extension harbors a dormant capability to execute arbitrary JavaScript.
While it claims to block ads, the underlying architecture allows for remote code execution (RCE) via script injection. The extension ID is cmedhionkhpnakcndndgjdbohmhepckk. This is a prime example of "piggybacking" on trust signals. The 'Featured' badge likely bypassed many standard user vetting processes, and even some corporate allow-lists.
For those of you hunting this in your environment, you can scan local user profiles for the specific extension ID. Here is a quick PowerShell snippet to check for its presence on Windows endpoints:
$extID = "cmedhionkhpnakcndndgjdbohmhepckk"
$profiles = Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data" -Directory -Filter "Profile*"
foreach ($profile in $profiles) {
$path = Join-Path $profile.FullName "Extensions\$extID"
if (Test-Path $path) {
Write-Host "[!] Detected on $($profile.Name): $path"
}
}
The dormant nature is the kicker—traces won't show up in traffic until the actor decides to flip the switch.
How are you handling browser extension governance in your orgs? Are you strictly block-listing, or have you moved to an allow-list model for extensions?
This is exactly why we moved to a strict allow-list via Chrome Enterprise Policy last year. It was a headache initially with users complaining about their productivity tools, but the alternative is supply chain risk like this.
If you're on Windows, you can enforce this via Group Policy (Computer Config > Administrative Templates > Google Chrome > Extensions). Set Configure extension installation whitelist to only your approved IDs.
For detection, I'd recommend comparing the manifest. of this extension against a known clean version if you have a copy, or just monitoring for any unexpected outbound connections from chrome.exe processes that don't match standard user browsing patterns.
Good catch on the PowerShell snippet. We're seeing a lot of these "utility" extensions turn malicious recently.
From a DFIR perspective, if you suspect this has been activated, you might want to check for any suspicious eval() calls or Base64 encoded strings within the extension's background scripts. You can usually find the JS files in the Extensions\[ID]\[Version] folder.
Here is a quick Python snippet to grep for eval in the extension directory:
import os, re
target_dir = r"C:\Users\...\Extensions\cmedhionkhpnakcndndgjdbohmhepckk"
for root, dirs, files in os.walk(target_dir):
for file in files:
if file.endswith(".js"):
with open(os.path.join(root, file), 'r', errors='ignore') as f:
if "eval(" in f.read():
print(f"Suspicious eval found in: {os.path.join(root, file)}")
Does anyone know if the C2 infrastructure for this specific group is already cataloged in any threat intel feeds yet?
This is a nightmare for MSPs managing clients with loose browsing policies. The 'Featured' badge implies a level of vetting that clearly doesn't exist for security.
We've started rolling out uBlock Origin Origin via GPO as the standard adblocker and blocking installation of others. It's open source and audited regularly.
Has anyone looked into whether the dormant script injection persists if the extension is simply disabled, or does it require full uninstallation to clear the registry keys/prefs?
Steve is right about allow-listing, but remediation is often overlooked. If this extension is already widespread, you need to forcibly remove it across all user profiles, not just block new installs. Here’s a PowerShell snippet to locate and delete the specific folder for the malicious ID. Ensure you run this with administrative privileges to handle user profile permissions correctly.
$TargetID = "cmedhionkhpnakcndndgjdbohmhepckk"
Get-ChildItem "C:\Users\" -Directory | ForEach-Object {
$Path = Join-Path $_.FullName "AppData\Local\Google\Chrome\User Data\*\Extensions\$TargetID"
if (Test-Path $Path) { Remove-Item $Path -Recurse -Force -Verbose }
}
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access