Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension

Technical Analysis
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

A Chrome extension with 10 million+ installs was found to carry a dormant script-injection path, raising the risk of arbitrary JavaScript execution across visited websites. A single server-side change could activate the behavior without an extension update or store review. The extension’s youtube.com check can be bypassed by embedding the string anywhere in a URL, allowing the code path to reach non-YouTube pages. That could expose pages, credentials, and authenticated sessions even though no malicious payload distribution was observed.

Related Happenings

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
H score11 First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

ShieldGuard browser-extension data-harvesting malware

Malware Activity
H score29 First: 18.03.2026 16:15 Last: 18.03.2026 16:15 Sources 1

About this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...

Open Happening

Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps

Technical Analysis
H score25 First: 11.03.2026 18:38 Last: 11.03.2026 18:38 Sources 1

About this happening: **Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...

Open Happening

QuickLens and ShotBird malicious Chrome extension update chain

Malware Activity
H score34 First: 09.03.2026 12:28 Last: 09.03.2026 12:28 Sources 1

About this happening: The **QuickLens** and **ShotBird** Chrome extensions have become **malicious after ownership transfer**, turning trusted add-ons into a delivery path for code injection and data t...

Open Happening

Google Gemini AI in Chrome privilege escalation flaw (CVE-2026-0628)

Vulnerability
H score33 First: 02.03.2026 12:27 Last: 02.03.2026 12:27 Sources 1

About this happening: **Google** has fixed **CVE-2026-0628** in **Gemini AI in Chrome**, a high-severity flaw that let a malicious extension hijack the privileged Gemini side panel and expose user priv...

Latest development: 02.03.2026 19:08

Palo Alto Networks Unit 42 researcher Gal Weizman discovered and reported CVE-2026-0628 in Google Chrome on November 23, 2025, identifying insufficient policy enforcement in the WebView tag that could let a malicious extension inject scripts or HTML into a privileged page and seize control of the Gemini Live panel.

Open Happening

Timeline

  1. 25.06.2026 17:12 2 articles · 2h ago

    Adblock for YouTube exposes dormant remote-controlled script injection path

    Technical Analysis Update

    Island identified a dormant remote-controlled script injection path in Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), a Chrome extension with more than 10 million installs and a Featured badge, that could enable arbitrary JavaScript execution on any website after a single server-side configuration change. The researchers said the code path centers on a bespoke scriptlet rule named trusted-create-element and a youtube.com check that can be bypassed by placing the string anywhere in a URL, while noting they saw no evidence that malicious payloads were distributed to users.

    Show sources
    Open in new tab