OrangeMonkeySecurity Analysis

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

Injects and executes scripts in web pages programmatically.

Dynamically creates script elements, potentially loading external malicious code.

Creates functions from strings, similar to eval(), often used to hide malicious code.

Dynamically sets a script's src attribute to load external code at runtime.

Manages other extensions, could disable security tools or install malware.

Uses eval() to execute dynamic code, a common technique for obfuscation and code injection.

Object.defineProperty() called on window — can intercept and override built-in browser APIs.

Creates a function from a string (new Function()), similar to eval().

Uses eval() to execute dynamic code — a common vector for code injection.

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

Decodes base64 data, commonly used to hide malicious payloads.

Makes HTTP requests to external servers, may be used for data exfiltration.

Sends messages via Chrome runtime, could communicate with external services.

Dynamically creates iframe elements, which can be used to load external content or hide malicious UI.

Uses XMLHttpRequest to make network calls.

Modifies window.location to redirect the user, potentially to phishing or malicious pages.

Fetches external URL: https://www.google-analytics.com/collect

Line exceeds 5000 characters (entropy: 5.069127752707411)

Content script matches <all_urls>, executing on every website the user visits.

Encodes data to base64, may be used for data exfiltration.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

options/app.js

popup/app.js