Skip to content

Add browser-extension object template for malicious/compromised extensions#524

Merged
adulau merged 1 commit into
mainfrom
codex/review-pr-#521
May 29, 2026
Merged

Add browser-extension object template for malicious/compromised extensions#524
adulau merged 1 commit into
mainfrom
codex/review-pr-#521

Conversation

@adulau
Copy link
Copy Markdown
Member

@adulau adulau commented May 29, 2026

Motivation

  • Provide a structured MISP object to represent browser extension supply-chain incidents (compromised or malicious extension releases) capturing identity, version diffs, permission escalations, payloads, infrastructure, verdicts, confidence and timestamps.
  • Close an intelligence gap where analysts were forced to use generic url/domain/file objects and lose contextual fields that make extension-level reporting actionable.

Description

  • Add objects/browser-extension/definition.json containing the new object definition with attributes such as id, name, ecosystem, version-malicious, version-clean, permissions-added, host-permissions-added, malicious-file, c2-url, exfil-url, verdict, confidence, analysis-source, first-seen, crx-sha256 and others, and set meta-category to misc.
  • Add objects/browser-extension/README.md documenting motivation, attributes, ATT&CK mapping, example usage and suggested relationships.
  • Register the new object in the repository index (README.md) so it is discoverable alongside other object templates.
  • Normalize JSON formatting to repository conventions (jq_all_the_things.sh / validate_all.sh workflow) and ensure the README example meta-category matches the object definition.

Testing

  • Ran the repository validation workflow with ./validate_all.sh, which invokes jq_all_the_things.sh, jsonschema checks, ./tools/validate_opposites.sh, and unique_uuid.py, and the workflow completed successfully (output: "Success: All is fine, please go ahead..").
  • Validated the new object specifically using jsonschema (via the same ./validate_all.sh run) and python -m json.tool formatting checks, which succeeded.

Codex Task

@adulau
Add browser-extension object template
a215de9 
New object for browser extension supply chain threat intelligence.
Captures compromised or malicious extension release events including
permission escalation diffs, C2 infrastructure, and analysis verdicts.

Attributes (20):
- Identification: id, name, ecosystem, publisher, store-url
- Version diff: version-malicious, version-clean
- Manifest: manifest-version, permissions-added, host-permissions-added
- Payload: malicious-file, crx-sha256
- Infrastructure: c2-url, exfil-url
- Analysis: attack-pattern, verdict, confidence, analysis-source, first-seen, description

ATT&CK: T1195.002, T1185, T1539, T1567, T1036

Motivated by the 2024-2026 wave of Chrome/Firefox extension supply chain
attacks (Cyberhaven, Trust Wallet, RedDirection, Operation Phantom Enigma,
Nx Console) affecting millions of users.
@adulau adulau merged commit 29efabf into main May 29, 2026
7 checks passed
@adulau adulau mentioned this pull request May 29, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adulau