banner
LightNews
johntuckner.me
tuckner
@johntuckner.me
750 followers 290 following 380 posts
Working on finding bad browser extensions. More at: https://secureannex.com
secureannex.com
Posts Media Videos Starter Packs
johntuckner.me
tuckner @johntuckner.me · 2d
Interesting piece of protestware in the browser extension space. Injects a script that autoplays the Ukrainian national anthem on '.ru' domains.
johntuckner.me
tuckner @johntuckner.me · 3d
Secure Annex now has a code editor extension to help manage other extensions. One installation will protect VS Code, Cursor, and Windsurf. Any extension known to be malicious/suspicious will be uninstalled immediately from your editors. Get in touch if you're interested!
2
johntuckner.me
tuckner @johntuckner.me · 4d
Running statistics comparing when a browser extension is reported malicious/suspicious compared to when it is removed from the Chrome Web Store. Here is the breakdown:

Still active: 68.8%
91-365 days: 19.1%
31-90 days: 5.8%
Same day or 1 day: 2.9%
8-30 days: 2.3%
2-7 days: 1.2%
2 1
johntuckner.me
tuckner @johntuckner.me · 8d
While the calculator works as advertised, it will sneakily change links on pages. The broad website access needed for just the overlay feature enables much more than just showing a calculator. Use the one that comes with your PC.
johntuckner.me
tuckner @johntuckner.me · 8d
The extension modifies links on webpages that point to these target domains. When you click what appears to be a link to "best-calc[.]ru," you're actually redirected to "bit[.]ly/3dk4NIW" with tracking parameters. These could be changed at any time to edit links on pages you visit.
1 1
johntuckner.me
tuckner @johntuckner.me · 8d
The server responds with target domains and redirect mappings. Currently targeting calculator sites like "best-calc[.]ru" and "get-calc[.]com" - direct competitors to what users think they installed.
1
johntuckner.me
tuckner @johntuckner.me · 8d
The extension runs content scripts on every webpage you visit which enables the calculator overlay feature, it also gives the extension access to monitor and modify links across the entire web.
1
johntuckner.me
tuckner @johntuckner.me · 8d
The background script immediately connects to "otsledit[.]net/calc" on startup to fetch configuration data. This happens silently every time your browser starts, with no user notification.
1
johntuckner.me
tuckner @johntuckner.me · 8d
This "Calculator" Chrome extension (60k+ users) markets itself as a simple iOS-style calculator with "basic arithmetic operations" with the ability to "open calculator directly on website pages." Could that be all?
1 1
johntuckner.me
tuckner @johntuckner.me · 9d
The Secure Annex extension is available to protect against other extensions! When an extension is found to be malicious, Secure Annex will prevent it from running. A great option for teams that do not have complete control with managed browsers. If you're interested, get in touch!
1 1
johntuckner.me
tuckner @johntuckner.me · 10d
Integrations are coming to Secure Annex! Easily gather all of the extensions in your environment from any source. Simply send data to an endpoint and pick out the data location. Some preconfigured options include Fleet and LimaCharlie! Get in touch if you want to try it out.
johntuckner.me
tuckner @johntuckner.me · 19d
I put together a browser extension analysis workshop for ContinuumCon and went over a section of the material live! The material and labs are still available at ContinuumCon or feel free to message if you would like a specialized training!

www.youtube.com/watch?v=hhnm...
CC2025 Day 1.4 - Demystifying Browser Extensions
The #cybersecurity conference that "never ends!" full 3 day stream recordings. Access to the conference workshop labs, practical content, and Blue Team Defensive CTF can be accessed for as long as…
www.youtube.com
1
johntuckner.me
tuckner @johntuckner.me · 19d
On it 🫡
johntuckner.me
tuckner @johntuckner.me · 19d
How are folks finding what MCP servers are in use in their organizations? Not just remote ones, but local also. There are a ton of places where they are configured that I've seen even for just something like Claude.
1 1
Reposted by tuckner
jotunvillur.bsky.social
LP @jotunvillur.bsky.social · 29d
🚨 Think your browser extensions are harmless?

Join @johntuckner.me for @thorcollective.bsky.social
and learn how to hunt the dangerous ones before they hunt you:

thorcollective.substack.com/p/even-if-ma...

#cybersecurity #infosec #threathunting #thrunting
Even if many plugins are fine, the bad ones are BAD
Sydney recently wrote a great piece about extensions and hunting for IDE plugins.
thorcollective.substack.com
2 3
johntuckner.me
tuckner @johntuckner.me · 29d
Not subscribed to the THOR Collective Dispatch yet? You might've missed my guest piece on hunting for bad browser extensions. Check if the extension your CFO installed to change text to Comic Sans is also taking screenshots of his Salesforce reports.

dispatch.thorcollective.com/p/even-if-ma...
1 2
johntuckner.me
tuckner @johntuckner.me · Sep 11
The Secure Annex extension history graph now shows version, verdict, and availability elements now in addition to users. With this you can easily see when a new extension version is released, when it was labeled, and how long it can last in a marketplace before take down.
johntuckner.me
tuckner @johntuckner.me · Sep 9
Salesloft reported that a GitHub compromise triggered their recent incident involving Drift. This has been my leading example of how a malicious browser extension can cause significant damage through capturing and replaying user sessions in GitHub.

youtu.be/h3vFGv8wxfM?...
Exploring Browser Extensions with John Tuckner
Watch this week's Defender Fridays with John Tuckner, Founder of Secure Annex, as we explore browser extensions and the risks they pose to your organization. Learn, share, and grow alongside…
youtu.be
1
johntuckner.me
tuckner @johntuckner.me · Sep 8
Developers are now looking for improvements in Open VSX after a string of malicious extensions impersonating real ones were published. The malware has not been taken down after 3+ days. This is impacting the trust in the platform.
johntuckner.me
tuckner @johntuckner.me · Sep 8
Cursor responded and removed the extensions from the search. They are still available on Open VSX.
johntuckner.me
tuckner @johntuckner.me · Sep 7
Yes two days ago before they were even updated with malware. No response yet from Open VSX or Cursor.
1 1
johntuckner.me
tuckner @johntuckner.me · Sep 7
Attackers are even trying to inject prompts to evade AI analysis (unsuccessfully) because it's being caught.

Take your response into your own hands.
1 3
johntuckner.me
tuckner @johntuckner.me · Sep 7
Reported as malware over two days ago, all are still available in Open VSX. A couple have even gone through publisher verification successfully and look even more convincing to anyone that doesn't know better.
1 1
johntuckner.me
tuckner @johntuckner.me · Sep 7
Six malicious extensions listed in Cursor and hosted on Open VSX. All are squatting on other packages and are showing above the safe versions they target.
2 3 15
johntuckner.me
tuckner @johntuckner.me · Sep 5
Earlier solidity malware taken down from the Open VSX marketplace. The publisher was supposed to be removed. Different namespace, same publisher with more solidity malware.

open-vsx.org/extension/ki...
1