React Developer ToolsSecurity Analysis

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

Injects and executes scripts in web pages programmatically.

Creates functions from strings, similar to eval(), often used to hide malicious code.

Dynamically creates script elements, potentially loading external malicious code.

Listens for keyboard events, a common technique used by keyloggers.

Dynamically sets a script's src attribute to load external code at runtime.

Creates a function from a string (new Function()), similar to eval().

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

Modifies window.location to redirect the user, potentially to phishing or malicious pages.

Sends messages via Chrome runtime, could communicate with external services.

Uses XMLHttpRequest to make network calls.

JavaScript file could not be parsed. May contain obfuscated or minified code.

Line exceeds 5000 characters (entropy: 5.217175123677591)

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

Content script matches <all_urls>, executing on every website the user visits.

Reads or writes to localStorage, which may contain sensitive site data.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

Encodes data to base64, may be used for data exfiltration.

Creates a Web Worker, which runs code in a separate thread — can be used for background computation or crypto mining.

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Extension registers a DevTools panel page. DevTools extensions have access to inspected page network traffic and DOM.