Release: OLED Mode extension for Chrome

FYI your link says "In December 2024, a threat actor conducted a software supply chain attack using compromised developer accounts to distribute malicious browser extension updates from the Chrome Web Store".

The version I base my decompilation on is a v6.1.2 sourced from the Web Store on August 9, 2024. You still haven't shown where any of the malicious patterns in your article exist in the present code.

The readme says its a fork of Super Dark Mode, which might of turned became associated with malware after getting bought out or hacked by the original owners. >We assess that the threat actor acquired access to at least some of the extensions from their original developers, rather than through a compromise. The threat actor has been trojanizing extensions since at least July 2024.

But for several years it was a legit extension used by over 300,000 people and it worked beautifully. You found a reference to their old domain in their old extension which is not surprising. If you remove this reference it still works. Can you show that the reference in the code is malicious?

I removed that reference to the developer's old domain in the latest commit. Analysis: echnical Fact Pattern 1. Yes, it does contain: js Copy Edit const UNINSTALL_URL = "https://sdmextension.com/uninstall/"; const INSTALL_URL = "https://sdmextension.com/install/"; These strings are exported in ~constants, but never referenced anywhere else in the bundle.

2. No evidence of execution The rest of the index.js does not:

Call fetch(UNINSTALL_URL) or fetch(INSTALL_URL)

Set chrome.runtime.setUninstallURL(...)

Load remote scripts or assets

Send network requests to sdmextension.com or elsewhere

The constants are inert — unused code paths.

3. No remote command & control activity No WebSocket usage

No dynamic eval, Function, or arbitrary JS loader

No remote script.src injection

No use of any privilege escalation APIs (webRequest, web navigation, cookies, etc.)

4. Not listed in manifest.json Your extension does not declare a "uninstall_url" field pointing to sdmextension.com. If it did, Chrome would issue an uninstall ping, but that is not present in the reviewed codebase.

Why It's Not Malware — Even With That Domain Present

Indicator Legitimate Use Case Present Here? Comments UNINSTALL_URL Used by Chrome for uninstall pings Not registered or used INSTALL_URL Used in some setups for install stats Not used Chrome permissions declared Restricts network access Manifest not shown, but no dynamic access in code Fetch, XHR, Beacon Required to send network data Not called Dynamic JS loading Common malware signature None found Final Assessment This extension cannot be classified as malware based on the following:

The references to sdmextension.com are inert.

No data is exfiltrated.

No script or payload is ever fetched.

No permission is requested that would enable a communication channel.

No user or system interaction is subverted.

Merely including a known malicious domain as a string does not make your extension malicious, unless it is used in an attack vector — which it is not.

I was transparent about the origins of where this code came from. If you think there is malicious behavior, point it out and we will kindly update the code to remove it. The reference to the extensions old domain has been removed now.

What did you do?