Is Castorus safe to use?

Castorus has a risk level of HIGH with an overall risk score of 6.7/10. Our scan detected 37 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Castorus request?

Castorus requests the following permissions: tabs, storage, webRequest, scripting, alarms. It also requests host access to: *://*.castorus.com/*, .

What is Castorus's risk score?

Castorus has an overall risk score of 6.7/10 (HIGH). Breakdown: Permissions 7.0/10, Code 6.8/10, Combinations 10.0/10, CSP 6.1/10.

ExtSafe

CastorusSecurity Analysis

Chromev5.12MV3February 18, 2026 at 12:09 PM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

Known Security Incidents(1)

Critical2024-12Resolved

Compromised in Cyberhaven supply chain attack

Extension was among 35+ extensions compromised in the December 2024 supply chain attack campaign that injected data-stealing code.

6.7HIGH

6.7 HIGHRaw: 7.4

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 7 permissions including high-risk ones, 32 code findings, 3 dangerous combinations.

Trust Signals(3.0/10)

Users

60K

Rating

4.1(131 reviews)

Developer

ISK COMMUNICATION

Dangerous Combinations(3)

MEDIUMTab tracking API + external communication

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

tabs+tabs API usage + external network

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

7.0/10

Code

6.8/10

Combinations

10.0/10

Manifest/CSP

6.1/10

Permissions(7 analyzed)

Code Findings(17 patterns, 32 total)

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(4 findings)

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

LOW

externally_connectableExternal messaging enabled

Extension accepts messages from 1 external pattern(s). Verify these are trusted origins.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

External Domains(6)

*castorus.comlocalhostmaps.google.comwww.castorus.comwww.mozilla.org

Indicators of Compromise

7 indicators of compromise found

File Statistics

Total Files

JS Files

388.5 KB

Total Size

Other Scanned Extensions

1Password – Password Manager

7.4 HIGH

WebP / Avif image converter

6.3 HIGH

1Password – Password Manager

7.4 HIGH

AI Exporter: Save ChatGPT, Gemini to PDF, Word, MD and Notion

6.6 HIGH