MaxAI: Ask AI anything as you browse (GPT, Gemini, Claude, Grok, etc.)Security Analysis

Extension reads clipboard and communicates externally — potential credential or crypto address theft.

Extension manages other extensions and executes dynamic code — behavior consistent with malware dropper.

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

Creates functions from strings, similar to eval(), often used to hide malicious code.

Dynamically sets a script's src attribute to load external code at runtime.

Listens for keyboard events, a common technique used by keyloggers.

Dynamically creates script elements, potentially loading external malicious code.

Creates a function from a string (new Function()), similar to eval().

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

Decodes base64 data, commonly used to hide malicious payloads.

Opens WebSocket connections, which can be used for persistent command-and-control channels.

Makes HTTP requests to external servers, may be used for data exfiltration.

Uses XMLHttpRequest to make network calls.

Dynamically creates iframe elements, which can be used to load external content or hide malicious UI.

Modifies window.location to redirect the user, potentially to phishing or malicious pages.

Uses document.write() which can inject arbitrary HTML/scripts into pages.

Fetches external URL: https://api.extensions-hub.com/extensionhub/send_notification

Opens a WebSocket connection, which can be used for persistent C2 channels.

JavaScript file could not be parsed and has high entropy. May contain obfuscated code.

Line exceeds 5000 characters (entropy: 5.699195366577823)

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

Content script matches <all_urls>, executing on every website the user visits.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

Reads or writes to localStorage, which may contain sensitive site data.

Encodes data to base64, may be used for data exfiltration.

Creates a Web Worker, which runs code in a separate thread — can be used for background computation or crypto mining.

String with entropy 6.02 bits — may be encoded/encrypted data

background.js

background.js

chunks/4B6UFNBQ.js

chunks/KP3IGOQI.js

chunks/KP3IGOQI.js

chunks/NPAUDJ52.js

chunks/OPRBJTHJ.js

chunks/UB52WFCV.js