Skip to content

Latest commit

 

History

History
353 lines (257 loc) · 15.1 KB

File metadata and controls

353 lines (257 loc) · 15.1 KB

Malicious Chrome Extension IOC Database

A community-maintained database of malicious Chrome and Edge browser extension indicators of compromise (IOCs).

Repository: chrome-mal-ids

License: CC BY 4.0 STIX 2.1

⚠ Schema updated May 2026 — Six new TPCI-V verification fields added (TPCI-VERIFY, TPCI-VERIFY-DATE, TPCI-STORE-NAME, TPCI-STORE-DEV, TPCI-STORE-DATE, TPCI-IDENTITY) plus four earlier additions (ADD-SOURCES, CONTRIB-METHOD, CONTRIB-TYPE, CONTRIB-HANDLE). Scripts using positional column indexing will need updating. Scripts using named headers (csv.DictReader or equivalent) require no changes. See SCHEMA.md for full details and migration guidance.

⚠ Delta import verification status — A meaningful share of entries sourced from third-party sources (CONTRIB-METHOD=Delta_Import or csv_import) have undergone Stage 5A static behavioral analysis and shown confirmed malicious or elevated-risk patterns at a high rate. Third-party sources include a one-time bulk delta import plus ongoing ingestion from toborrm9/malicious_extension_sentry and PDF report intake. For current entry counts and the exact confirmation rate, see the By Contribution Method table in STATS.md — those numbers move as ingestion continues, so they're tracked there rather than restated here. See Data Quality and CHANGELOG.md.



What this is

Started in 2021 as a personal research project after noticing no single authoritative list of malicious Chrome extension IDs existed. The database tracks thousands of documented malicious extension IOCs across dozens of campaigns — from credential stealers and browser hijackers to supply chain compromises and ad fraud rings. Current totals change as ingestion continues — see STATS.md for the live count, campaign breakdown, and contribution-method breakdown, auto-generated on every update rather than restated here.

The database is maintained by The Privacy Commons Institute (TPCI) and is an active research platform. TPCI conducts original research on browser extension threats including persistence measurement, removal rate analysis, IOC feed quality assessment, and behavioral verification. Entries are updated as research progresses. All changes are documented in CHANGELOG.md.

All entries sourced from original research are human-reviewed before publication. Distribution outputs (STIX, MISP, Sigma, blocklist) contain only TPCI-verified entries.


The data

File Description
data/current-list-meta.csv Full dataset with metadata
data/current-list.csv ID-only list for lightweight consumption
data/current-list.txt Plain text blocklist, one ID per line
data/current-list.json JSON array with full metadata
data/current-list-sigma.yml Sigma detection rule for SIEMs
formats/chrome-mal-ids-stix.json STIX 2.1 bundle for threat intel platforms
formats/misp-export.json MISP event JSON for manual import
formats/misp-feed/ MISP feed directory for automatic polling
STATS.md Auto-generated statistics summary — current totals, campaign breakdown, contribution methods, and monitored sources live here
SCHEMA.md Full schema documentation

Schema overview

Each entry in current-list-meta.csv contains:

Field Description
EXTID 32-character Chrome/Edge extension ID
EXTID-NAME Extension display name
DATE-DIS Date the malicious behavior was first reported
THREAT-TYPE Type of threat (spyware, data-theft, browser-hijack, etc.)
BROWSER chrome or edge
STILL-ACTIVE 1 if still live in the browser store at time of reporting
OWNERSHIP-TRANSFER 1 if a legitimate extension was acquired and turned malicious
SOURCE Primary research source
ARTICLE News/blog article covering the campaign
NOTES Plain-English summary of the malicious behavior

Full schema: SCHEMA.md

Data quality

Entries in this database fall into two categories with different confidence levels. Exact current counts for both categories, plus a full breakdown by contribution method (delta import, PDF report intake, AI enrichment, manual entry, etc.), are in STATS.md's "By Contribution Method" table rather than restated here as static numbers.

Independently verified entries (CONTRIB-METHODDelta_Import, ≠ csv_import) Sourced from published security research, individually reviewed by a human before commit, with source citations and campaign attribution. These are confirmed malicious extensions backed by original research.

Third-party source entries (CONTRIB-METHOD=Delta_Import, csv_import, PDF_Import, etc.) These entries have not necessarily been individually human-reviewed on ingest but have undergone Stage 5A static behavioral analysis. Check the TPCI-VERIFY and TPCI-IDENTITY fields for current verification status. Entries with TPCI-VERIFY=Stage 5A are behaviorally confirmed; entries marked TPCI-VERIFY=stub are pending individual analysis.

Filtering by confidence level:

# High confidence — independently verified entries only
grep -v "Delta_Import\|csv_import" data/current-list-meta.csv

# Check verification status
awk -F',' '$19 != "" '} data/current-list-meta.csv   # TPCI verified entries

# Unverified delta imports
grep "Delta_Import" data/current-list-meta.csv | grep -v "Store_Enrichment"

Additional quality notes:

  • UNKNOWN stubs — entries with confirmed malicious IDs but incomplete metadata. Committed immediately (an ID is better than nothing) and enriched over time. Find them with: grep ",UNKNOWN," data/current-list-meta.csv
  • Still-active flag — reflects status at time of reporting, not necessarily today. Use TPCI-VERIFY and TPCI-VERIFY-DATE for current verified status.
  • Supply chain victims — some entries marked TPCI-IDENTITY=remediated were legitimate extensions compromised by supply chain attacks. The developers have patched the malicious code. These IDs are retained for historical accuracy but should not be treated as currently malicious.
  • Contributor handles - malsware refers to Mallory Bowes Brown (Principal Researcher, TPCI) — a legacy handle predating the Institute's formation. New records use mbb. Contact: research@tpc.institute

How to use it

🌐 Search UI

Browse and search the full database at: https://the-privacy-commons-institute.github.io/chrome-mal-ids

Filter by campaign, threat type, browser, date, and active status. Click any entry for full details including research article links.

📄 Plain text blocklist

One ID per line — works with grep, MDM tools, custom scripts:

# Download
curl -O https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list.txt

# Check a specific ID
grep "YOUR_EXTENSION_ID" current-list.txt

# Scan all installed Chrome extensions (Linux/macOS)
comm -12 \
  <(ls ~/.config/google-chrome/Default/Extensions/ | sort) \
  <(grep -v '^#' current-list.txt | awk '{print $1}' | sort)

🔷 JSON

Full metadata as a JSON array — ideal for developers and custom tooling:

https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list.json
import urllib.request, json
url  = "https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list.json"
data = json.loads(urllib.request.urlopen(url).read())
exts = {e["ext_id"]: e for e in data["extensions"]}
# Check an ID
if "your_extension_id" in exts:
    print(exts["your_extension_id"])

🔍 Sigma rule (SIEM detection)

Sigma rule covering all known malicious IDs — compatible with Splunk, Elastic, Microsoft Sentinel, and any Sigma-capable SIEM:

https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list-sigma.yml

Convert to your SIEM's native format with sigma-cli:

sigma convert -t splunk current-list-sigma.yml
sigma convert -t elastic-dsl current-list-sigma.yml
sigma convert -t sentinel current-list-sigma.yml
# Download the full metadata CSV
curl -O https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list-meta.csv

# Check if a specific extension ID is malicious
grep "YOUR_EXTENSION_ID" current-list-meta.csv

🛡️ System scan scripts

Linux / macOS:

curl -O https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/contrib/scripts/linux_mac/chrome-ext-check.sh
chmod +x chrome-ext-check.sh
./chrome-ext-check.sh

Windows (PowerShell):

Invoke-WebRequest -Uri https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/contrib/scripts/windows/Scan-ChromeExtensions.ps1 -OutFile Scan-ChromeExtensions.ps1
.\Scan-ChromeExtensions.ps1

🔵 MISP

Two MISP formats are available — manual import or automated feed:

Manual import (misp-export.json):

MISP → Events → Import → MISP JSON → select misp-export.json

Automated feed (recommended — MISP polls automatically on a schedule):

MISP → Feeds → Add Feed:
  Name:         Malicious Chrome Extension IOC Database
  Type:         MISP Feed
  URL:          https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/formats/misp-feed/
  Input source: Network
  Distribution: Your organisation only

The feed creates one MISP event per campaign, with full attribute metadata, TLP:WHITE tags, and source references (see STATS.md for the current campaign count). Updates automatically with every new database commit.

🧩 STIX 2.1 / OpenCTI

The STIX 2.1 bundle is auto-generated on every update and available at:

https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/formats/chrome-mal-ids-stix.json

MISP — scheduled pull:

Events → Feeds → Add Feed → STIX 2.1 → paste URL above

OpenCTI — remote ingestion:

Data → Ingestion → Remote STIX2 Feeds → paste URL above

Subscribe to updates via the releases RSS feed:

https://github.com/The-Privacy-Commons-Institute/chrome-mal-ids/releases.atom

🐍 Python / programmatic

import csv, urllib.request

url = "https://raw.githubusercontent.com/The-Privacy-Commons-Institute/chrome-mal-ids/master/data/current-list-meta.csv"
with urllib.request.urlopen(url) as r:
    rows = list(csv.DictReader(line.decode() for line in r))

# Check a specific ID
target = "your_extension_id_here"
match  = next((r for r in rows if r["EXTID"] == target), None)
if match:
    print(f"MALICIOUS: {match['EXTID-NAME']}{match['THREAT-TYPE']}")

Statistics

Live, auto-generated statistics — total IOC count, verified vs. third-party split, campaign breakdown, threat type breakdown, contribution methods, and currently monitored sources — are maintained in STATS.md, not duplicated here. STATS.md regenerates automatically as part of the commit pipeline, so it reflects the database's actual current state rather than a number frozen at whatever point this README was last edited.


TPCI-V Verification

All entries in this database are subject to ongoing verification using the TPCI-V multi-stage verification protocol developed by The Privacy Commons Institute.

Stage Method Field
Stage 1 Source review and ingestion CONFIRM-MAL, REPORTED-MAL
Stage 2 Chrome CRX update API TPCI-VERIFY, STILL-ACTIVE
Stage 3 Headless browser store verification TPCI-VERIFY, STILL-ACTIVE
Stage 4 Identity continuity check TPCI-IDENTITY, TPCI-STORE-NAME
Stage 5 Behavioral analysis (static CRX) TPCI-BEHAVIORAL, TPCI-BEHAVIORAL-DATE

Full methodology: tpc.institute


Monitoring Sources

The database is updated by monitoring security research RSS feeds and GitHub repositories daily.

Current source list: See STATS.md for the full auto-generated list — it stays in sync with the monitoring pipeline automatically.

Sources include blogs and publications from: Koi Security / Palo Alto, Bleeping Computer, The Hacker News, Krebs on Security, Sekoia, Palant's Blog, Secure Annex, Trustwave SpiderLabs, The Record, SecurityWeek, and several GitHub IOC aggregation repositories.

To suggest a new source, open an issue.


Reporting a new malicious extension

Open an issue with:

  • Extension ID (32-char string from the Chrome Web Store URL)
  • Extension name
  • Source article or research post
  • Brief description of the malicious behavior

Data format

See SCHEMA.md for the full field specification before submitting a PR.


Coverage highlights

Some notable campaigns tracked in this list:

  • Cyberhaven Dec 2024 — supply chain attack on a legitimate security extension
  • DarkSpectre / ShadyPanda — 36+ extensions, 7.8M infected browsers
  • Phoenix Invicta / Netflix Party — 60+ extensions circumventing Manifest V3 restrictions
  • unknow.com spyware — 57 extensions, 6M users, cookie theft and remote control
  • adindex ad fraud cluster — RCE via Firebase, session replay for ad fraud
  • Koi RedDirection — browser hijack campaign across Chrome and Edge
  • BIScience clickstream — browsing history collection under false pretenses
  • And many more — browse the full list →

License

This dataset is licensed under CC BY 4.0.

You are free to use, share, and adapt this data for any purpose including commercially, provided you give appropriate credit:

Extension IOC data sourced from chrome-mal-ids by Mallory Bowes Brown https://github.com/The-Privacy-Commons-Institute/chrome-mal-ids

See LICENSE.md for full terms.


Maintained by @mallorybowes / The Privacy Commons Institute
Pipeline tooling built with Claude (Anthropic)
Verification protocol: TPCI-V