Did some digging into why pasting from X.com triggers "malicious injection" warnings in security tools (CrowdStrike, Defender, SentinelOne). Turns out it's not a false positive.

Every time you copy text or a link from X.com, their JavaScript intercepts the `copy` event and rewrites your clipboard before it lands. Three injection vectors:

1. **URL tracking** — clean tweet links get `?s=12&t=<base64-token>` appended. The token is session-bound and uniquely identifies you.

2. **HTML clipboard payload** — X writes `text/html` alongside `text/plain`. The HTML contains hidden `<span>` elements with base64-encoded tracking data. This is what trips the XSS detection rules.

3. **Cross-context deanonymization** — paste a tweet link into email, a forum, or Slack, and X can correlate the copier's identity with the paste destination. Shadow social graph construction without consent.

The `t=` parameter is the smoking gun. It's a base64-encoded binary blob that persists across your session. Security scanners see "base64 blob injected into clipboard" and flag it — same behavior as information-stealing malware, because technically it's the same mechanism.

No opt-out. No disclosure. The bug bounty program was dissolved.

Full technical writeup with detection regex and DevTools monitoring code:

- https://gitlab.com/jacquesmyo/security-findings

- https://codeberg.org/jacquesmyo/security-findings