I've been reversing the 2M+ user Volume Booster Chrome extension and found something interesting.

Between v1.0.3 (2025-06-27) and v1.0.4 (2025-07-02), the extension added:

"content_scripts": [{ "matches": ["<all_urls>"], "js": [ "vendor/GiveFreely-content.umd.js", "content-script.js" ] }] 

The previous version was essentially a small audio booster. The newer version introduces a Give Freely / Wildlink component that appears to support merchant detection, affiliate attribution, and donation campaigns.

No new permissions were added, meaning existing users would have received the update automatically without a new Chrome permission approval prompt.

I've also found the same Give Freely / Wildlink infrastructure in multiple unrelated extensions, which makes me think it's being distributed as a white-label monetization/fundraising SDK.

I'm still investigating and considering whether this is worth adding to MalExt. At this point I don't have evidence of malware, credential theft, or anything overtly malicious just a significant expansion of functionality in a 2M-user extension.

Curious what others think. Is this a transparency/privacy concern, or just a normal extension monetization model? Any opinions or prior research on Give Freely / Wildlink would be appreciated so i can added to malext.io

Two Chrome extensions presenting as adblockers also intercept every prompt and response on ChatGPT, Claude, Gemini, Copilot, Grok, Perplexity, DeepSeek, and Meta AI, exfiltrating them to operator-controlled servers.

They also check whether you're a paid user on 5 of the 8 platforms
(ChatGPT, Claude, Perplexity, Copilot, Gemini).

Both share the same capture engine, payload format, and partnerId.

Two brands, one operation.

• Smart Adblocker - Chrome Web Store `iojpcjjdfhlcbgjnpngcmaojmlokmeii`, 80k users
• Adblock for Browser - Chrome Web Store `jcbjcocinigpbgfpnhlpagidbmlngnnn`, 10k users

Report covers the IOCs, live remote config, reproduction curl, and full target breakdown.

Full write-up: MalExt Sentry - Malicious Browser Extension Tracker

Chrome Web Store abuse reports filed.

I scanned Chrome extension manifests for chrome_settings_overrides and found 23 extensions silently routing 758,000 users' searches through hidden monetization networks.

The pattern: install a free extension (satellite imagery, maps, news reader), your default search gets quietly replaced and every query goes through the operator's middleware before reaching a search network, generating affiliate revenue you never consented to.

Key findings:

• 8 distinct brokers behind these extensions. If one extension gets pulled, another goes up under a different name.
• Several extensions have zero functionality beyond the search override
• One extension affirmatively claims "We don't track your searches" while its own privacy policy says otherwise
• One uses runtime declarativeNetRequest injection so the real behavior is invisible to static analysis

The `hspart` parameter in the final search redirect URL is the clustering key. One value maps an entire broker network regardless of extension name, domain, or publisher identity.

Full report: https://malext.io/reports/SearchJack/