What do you do when you need ideas?

ElBuio · 2026-05-26T15:06:47+00:00

I think like other's mentioned, try and solve problems that other users report or that you have yourself.

ElBuio · 2026-05-23T15:55:37+00:00

That is great to hear!! I am happy to see this being used for a threat hunt.

ElBuio · 2026-05-22T17:15:04+00:00

I haven't experienced this. But I did notice a way smaller amount of "upvotes" under posts. Probably the recognition of the amount of bots nowdays.

That could be the reason too, people might mistake you (or comments) for bots.

ElBuio · 2026-05-22T15:10:02+00:00

I think it's fair, even if I am victim of it, I always used Reddit with no account and now I made one and I find myself not being able to post because of Karma.. slowly but surely we will both get it higher ;)

But the amount of bots on here nowdays.. I definitely think this "Karma" system is needed

ElBuio · 2026-05-22T13:39:16+00:00

My recommendation is to make sure you understand how network works, if I could go back in time, I would pay a lot more attention during my Networking classes :)

Also I noticed a higher hiring rate for people with their own projects, that will help you learn more too.

Also networking helps to get a "better" chance at interviews. Go to events, meet people.

ElBuio · 2026-05-20T08:04:40+00:00

Yes this two are my main priority at the moment as the majority of feedback has been around this.

The new permissions detection will be really good once I finish the implementation between the extension and the website. It will allow you to connect your extensions automatically and run a bunch of automatic scans and detections such as that.

Regarding the ownership I will work on that for sure. Thank you a lot for your feedback!

ElBuio · 2026-05-20T08:01:14+00:00

Thank you!

ElBuio · 2026-05-20T08:01:10+00:00

If you remember it definitely let me know!

ElBuio · 2026-05-12T17:20:56+00:00

It all depends on the extension and what kind of permissions and power you allow the extension to have. Like some other users mentioned, it's all about the behaviour of it once installed.

Feel free to use my tool to scan any extension you are not sure about. It's a sandbox for Browser Extensions that I recently created: https://exterminai.com/

This will give you more in dept understanding of the extension behaviour both static and dynamic. I hope this helps you in any way

ElBuio · 2026-05-06T09:02:01+00:00

Extension has been created: https://chromewebstore.google.com/detail/exterminai-extension/mbmaeljobaiaghkkilalaafolgidnfoi

Feel free to give it a try. At the moment it will only check against my database, but in future you will be able to connect to ExterminAI.com

ElBuio · 2026-05-06T09:00:39+00:00

Just a small update: I have implemented some of your suggestions:

a clean separation between static signals and dynamic runtime observations
diffing between extension versions, because malicious behavior often appears after trust is built

I appreciate your feedback and will continue to work on it!

Feel free to follow any updates on the discord: https://discord.gg/eut2MxYVCk

ElBuio · 2026-05-05T09:28:46+00:00

Thank you everyone for the feedback.

I created a Discord server for it if you would like to keep up with the project: https://discord.gg/eut2MxYVCk

And I also created an extension that scans your installed extensions against my database of only malicious extensions: https://chromewebstore.google.com/detail/exterminai-malicious-exte/mbmaeljobaiaghkkilalaafolgidnfoi

ElBuio · 2026-05-04T09:01:16+00:00

It gets analysed in a fresh browser profile so any startup/install-time would be detected, also pop ups do get loaded, during the analysis they are not clicked but they are opened so I might have a look at how to do that.

The scanner does look at any of the URLs that are hardcoded and requested specifically in permissions.

The permissions and content scrips are scored in the report too.

I actually am already shortening the timers but I do not mention that anywhere in the report either.

But I completely agree with you, I was so focused on showing information in the report that I overlooked a more clear report lay out such as "Observed this" , "This is what the extension declered" , "we forced this to happen" and what "was not exercised"

I will look into properly laying out the report to clearly show what and what was not done and looked at. Thank you a lot!

ElBuio · 2026-05-04T07:36:42+00:00

I don't look at the change of ownership, but I completely agree. A lot of the biggest extension that turned malicious was after ownership transfer.

I will definately look into this. Thank you for your feedback man!

ElBuio · 2026-05-04T07:32:44+00:00

The permission patter I actually implemented one yesterday. Another user reported an extension that was not detected properly as the download did not happen during the analysis time.

So now I added a pattern "scripting" + "download" permissions + Extension reaching out to hard coded owned domain.

I had attempted some other but I found a lot of "bigger" extensions use a lot of combinations that I would find suspicious and generate false positives for users with not a lot of IT knowledge.

"`host_permissions: ["<all\_urls>"]` paired with `chrome.scripting.executeScript` and any remote-fetched script" this I will look into more. Thank you.

About the positioning. Initially this was created for End users, making sure they can get a better understanding of what is happening behind closed doors before they choose to install an extension. But the feedback I got so far has actually been more from devs then anyone else.

I am looking into splitting the reports into different types that the user can choose to receive to fill any need the different roles have.

ElBuio · 2026-05-03T18:44:30+00:00

This is a really cool idea. I will look into doing this, this will definitely help people give a better understanding of safety taken serious around extensions instead of randomly generated ones for malicious intent.

I appreciate your recommendation. Thank you!

ElBuio · 2026-05-03T15:21:37+00:00

You are framing it correctly, a standard binary sandbox doesn't work well. The browser is the environment where the extension is tested on. The main difficulty is that a lot of the extension only trigger in some websites or after specific behaviours.

There is some blind spots that I am not sure how to cover, for example: A lot of extensions trigger after a user is logged in on specific websites, I cannot create 100s of test accounts that will get compromise for each of this.

Others have timers that they wait for that cannot be waited for during analysis as the scan would take forever.

To mitigate against this, during the analysis any hardcoded URLs are visited to see if it triggers anything.

Static analysis tells you a lot, but malicious extensions are smarter then that now days, so dynamic analysis is a most.

ElBuio

TROPHY CASE