Hot Take Example of a malicious extension with a good rating

Add-on/Extension Page
https://chromewebstore.google.com/detail/dark-mode-dark-reader-for/pjbgfifennfhnbkhoidkdchbflppjncb/reviews
Parkinsond

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,059
14,246
6,069

Attachments

  • Screenshot_8-2-2026_16299_chromewebstore.google.com.jpeg
    Screenshot_8-2-2026_16299_chromewebstore.google.com.jpeg
    52.3 KB · Views: 103
  • Screenshot_8-2-2026_162928_chromewebstore.google.com.jpeg
    Screenshot_8-2-2026_162928_chromewebstore.google.com.jpeg
    63.2 KB · Views: 108
  • Screenshot_8-2-2026_162952_chromewebstore.google.com.jpeg
    Screenshot_8-2-2026_162952_chromewebstore.google.com.jpeg
    36.7 KB · Views: 98
  • Like
  • Wow
  • Applause
Reactions: Zero Knowledge, Jonny Quest, Sorrento and 7 others
Technical Analysis & Remediation

Evidence of Compromise

Source
browser_extensions_list.txt

Entry N/A,*pjbgfifennfhnbkhoidkdchbflppjncb*,pjbgfifennfhnbkhoidkdchbflppjncb,malware,malicious...

Threat Intel Link
Matches the "June 8, 2023 Cluster" of malicious extensions.

MITRE ATT&CK Mapping

T1176 (Browser Extensions)
The adversary uses the extension mechanism to maintain persistence in the browser.

T1566.002 (Spearphishing Link)
Users are lured via "Clean" ratings on third-party download sites.

T1056.004 (Input Capture: Credential API Hooking) This malware cluster is known to inject code into web pages to intercept search queries and potentially other form data.

Operational Behavior

The "Sleeper" Tactic
The malicious code is often obfuscated and set to activate only 24+ hours after installation, allowing it to bypass automated scans by Google or Softpedia.

Payload
Instead of a simple theme, the extension acts as a "Search Hijacker," redirecting user queries through affiliate networks to generate revenue for the attacker.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3)

DETECT (DE)

Command
Run a fleet-wide query for Extension ID pjbgfifennfhnbkhoidkdchbflppjncb.

Command
Block the domain darktheme.tab or any C2 domains associated with the "Triplex Media" developer group if visible in DNS logs.

RESPOND (RS)

Command
Force-Remove the extension via Google Workspace Admin Console (Devices > Chrome > Apps & extensions > Users & browsers).

Command
Reset all active web sessions (cookies) for affected users, as the extension had read/write access to all visited websites.

PROTECT (PR)

Command
Implement a "Blocklist by default" policy for extensions, allowing only those vetted by IT.

Remediation - THE HOME USER TRACK

Priority 1: Eradication

Command
Open Chrome/Edge, go to chrome://extensions, find "Dark Mode" (ID ending in ...jncb), and click Remove.

Command
Do not interact with any "Goodbye" surveys that open after removal.

Priority 2: Sanitization

Command
Clear your browser cache and cookies (Ctrl+Shift+Delete -> Select "All time"). This removes any tracking beacons left by the hijacker.

Command
Change passwords for sensitive sites (Banking, Email) if you logged into them while the extension was active, as a precaution against data scraping.

Priority 3: Verification

Command
Verify your default search engine has not been changed. Go to chrome://settings/search and ensure it is set to Google, Bing, or your preferred provider, not a generic "Secure Search".

Hardening & References

Primary Evidence
Found in( browser_extensions_list.txt )pointing to Palant's "Another cluster of potentially malicious Chrome extensions".

Lesson Learned
"Clean" ratings on software download sites (like Softpedia) are static and often fail to detect dynamic, obfuscated JavaScript malware found in browser extensions. Always verify the Extension ID against community threat lists.
Click to expand...
 
  • Like
Reactions: Zero Knowledge, Sorrento, harlan4096 and 3 others
That happens when a normal, useful extension suddenly turns to malware. This is why I have trust issues with random software, extensions, scripts or even ad block filters I find on the web. Yes, the piece of code might be very useful at the moment, but all it takes is just one terrible update and the tool could become malware.
 
  • Like
  • Applause
  • +Reputation
Reactions: Zero Knowledge, Jonny Quest, Sorrento and 2 others
It doesn't matter if an extension is safe today. These tools require permission to "Read and change all your data on the websites you visit." That is permission to scrape your bank details and emails. All it takes is one update, or the developer selling the extension to a data broker, to turn a useful tool into a keylogger.

If you care about OpSec, stop increasing your attack surface for a cosmetic upgrade. Use the native chrome://flags implementation which renders locally and doesn't require handing your browsing data to a third-party developer.
 
  • Like
  • Hundred Points
  • +Reputation
Reactions: Zero Knowledge, Sorrento, Jonny Quest and 2 others
Jonny Quest said:
I think it's also a little deceptive on their part to include Dark Reader in the description name, as some users may get confused and think it's that trusted version and install it?
Click to expand...
There is another one with the exact same name

chromewebstore.google.com

dark reader - dark mode for Chrome - Chrome Web Store

Activate dark mode for Chrome. Protect your eyes, and use a dark theme for night and everyday browsing.
chromewebstore.google.com chromewebstore.google.com
 
  • Like
  • Wow
Reactions: Zero Knowledge, Sorrento and Jonny Quest

You may also like...