ExtSafe

ExpressVPN: VPN & proxy browser extensionSecurity Analysis

Chromev8.0.2MV3February 18, 2026 at 11:58 AM
Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

7.1HIGH
7.1 HIGHRaw: 8.9

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 12 permissions including high-risk ones, 92 code findings, 5 dangerous combinations.

Trust Signals(5.0/10)

Users
1.0M
Rating
4.5(3K reviews)

Dangerous Combinations(5)

HIGHCookie access + external network

Extension has cookie access and sends data to external servers — potential session token theft.

cookies+external network request
MEDIUMTab tracking API + external communication

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

tabs+tabs API usage + external network
CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request
CRITICALNative messaging + dynamic code execution

Extension communicates with native apps and executes dynamic code — potential sandbox escape vector.

nativeMessaging+eval/Function/dynamic code
CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern
Permissions
9.5/10
Code
9.1/10
Combinations
10.0/10
Manifest/CSP
5.8/10

Permissions(12 analyzed)

Code Findings(24 patterns, 92 total)

Content Security Policy

CSP Present(1 issue)
LOW
object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(3 findings)

Resolved from __MSG_* i18n placeholders:

Name: ExpressVPN: VPN & proxy browser extension

Description: Go online safely with blazing-fast speed. Switch locations, access content, and toggle between proxy mode and full app control

MEDIUM
web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

HIGH
externally_connectableAny website can send messages to this extension

externally_connectable uses broad patterns, allowing any website to establish a messaging channel with the extension. This can be exploited to trigger extension actions from malicious pages.

HIGH
content_scriptsAggressive content script injection

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

External Domains(26)

addons.mozilla.orgapi.jwks.kape.comapp.launchdarkly.comauth.expressvpn.comcaptive.apple.comclientstream.launchdarkly.comcp.expressapisv2.netdocs.launchdarkly.comevents.launchdarkly.comexpressv.typeform.comfb.mefsf.orggithub.comkossnocorp.mit-license.orglocalhostplay.google.comqm.cp.expressapisv2.netreact.devreactrouter.comstaging.api.jwks.kape.comstg.auth.xvtest.netstg.cp.expressapisv2.netwww.apache.orgwww.apple.comwww.expressvpn.comwww.microsoft.com

Indicators of Compromise

11 indicators of compromise found

File Statistics

793
Total Files
28
JS Files
9.8 MB
Total Size

Other Scanned Extensions

Permanent clipboard
6.2 HIGH
Snippet Manager
6.4 HIGH
1Password – Password Manager
7.4 HIGH
WebP / Avif image converter
6.3 HIGH
1Password – Password Manager
7.4 HIGH
AI Exporter: Save ChatGPT, Gemini to PDF, Word, MD and Notion
6.6 HIGH