Congrats, you sewed enough paranoia that you got the submission taken down just suspicion alone. Strange though, on a community of developers, no one is able to show specifically how/and where it malicious.
The extension contains no active network communications, no runtime use of webRequest or declarativeNetRequest, no dynamic code loading, and no modifications to HTTP response headers or CSP directives. References to the domain sdmextension.com[now removed anyway] exist solely as unused string constants, entirely inert and functionally irrelevant. The extension’s declared purpose is consistent with its implementation. Accordingly, any assertion that this extension constitutes or facilitates malicious activity is currently unsupported by any evidence.
Thank you. I did flag this post too. Happy to have done my part :)
On a serious note, stop spamming comments here. Instead learn better open source development principles. Let you readable code do the talking, instead of paragraphs and paragraphs of defensive comments.
Please dont reply to this comment. Please read it and move on.
You're proud you shot down a useful extension that very many people would of enjoyed over baseless paranoia? Read everything that's posted here and point out exactly where the threat is in the code. Also I already replied to the first part of your comment before you retroactively added the second. And third, the code will be actively updated and cleaned up further. I'll be resubmitting this again to Hacker News after organizing and documenting it a bit better.
I appreciate you feel attacked but the content of the repositories are suspicious. Zip files, executables missing source, readmes that are clearly incorrect (eg giving Windows install instructions for a macOS binary) and this particularly plugin is minified.
I could tell that this was due to lack of experience because there were other obvious mistakes you’d made which were harmless.
What you need to appreciate is that you’re asking people to install untrusted software on their computers. So while you might feel attacked, the burden of proof is actually with you to demonstrate that you are trustworthy.
And that means eating some humble pie here. Learning from the feedback you’re receiving and grow from it. Rather than demanding that the community fix your shortcomings. We don’t owe you our time any more than we owe you our devices to beta test your software projects.
Thanks for your feedback.
The source code for my windows binary projects(and visual studio .SLN files too) are available for all my projects if you care to look close enough. The .exe are prepared for convenience and is fully reproducible. I am correcting that typo in that macos utility(I admittedly wasn’t ready to launch that one for public release or announcement, fixing now). I maintain that all my extensions are 100% legitimate and will improve the code clarity on my next releases.
It currently does not, just handles applying a uniform black theme across all domains. Good suggestion though, I will look into implementing this today. (My idea is, to use a custom zooming offset determined by the date- applying a random zoom % between 0 and 116 while keeping font size original, not too obvious to the person but enough to shift the pixels around a bit.
Why do the JavaScript files in repo "Chrome-OLED-Mode" reference sdmextension[.]com, a known C2 server in a Chrome extension malware campaign identified by GitLab Threat Intelligence? Is this a copy of the malicious "Super dark mode" extension? (ID: nlgphodeccebbcnkgmokeegopgpnjfkc)
The readme says its a fork of Super Dark Mode, which might of turned became associated with malware after getting bought out or hacked by the original owners.
>We assess that the threat actor acquired access to at least some of the extensions from their original developers, rather than through a compromise. The threat actor has been trojanizing extensions since at least July 2024.
But for several years it was a legit extension used by over 300,000 people and it worked beautifully. You found a reference to their old domain in their old extension which is not surprising. If you remove this reference it still works. Can you show that the reference in the code is malicious?
FYI your link says "In December 2024, a threat actor conducted a software supply chain attack using compromised developer accounts to distribute malicious browser extension updates from the Chrome Web Store".
The version I base my decompilation on is a v6.1.2 sourced from the Web Store on August 9, 2024. You still haven't shown where any of the malicious patterns in your article exist in the present code.
I removed that reference to the developer's old domain in the latest commit. Analysis: echnical Fact Pattern
1. Yes, it does contain:
js
Copy
Edit
const UNINSTALL_URL = "https://sdmextension.com/uninstall/";
const INSTALL_URL = "https://sdmextension.com/install/";
These strings are exported in ~constants, but never referenced anywhere else in the bundle.
2. No evidence of execution
The rest of the index.js does not:
Call fetch(UNINSTALL_URL) or fetch(INSTALL_URL)
Set chrome.runtime.setUninstallURL(...)
Load remote scripts or assets
Send network requests to sdmextension.com or elsewhere
The constants are inert — unused code paths.
3. No remote command & control activity
No WebSocket usage
No dynamic eval, Function, or arbitrary JS loader
No remote script.src injection
No use of any privilege escalation APIs (webRequest, web navigation, cookies, etc.)
4. Not listed in manifest.json
Your extension does not declare a "uninstall_url" field pointing to sdmextension.com. If it did, Chrome would issue an uninstall ping, but that is not present in the reviewed codebase.
Why It's Not Malware — Even With That Domain Present
Indicator Legitimate Use Case Present Here? Comments
UNINSTALL_URL Used by Chrome for uninstall pings Not registered or used
INSTALL_URL Used in some setups for install stats Not used
Chrome permissions declared Restricts network access Manifest not shown, but no dynamic access in code
Fetch, XHR, Beacon Required to send network data Not called
Dynamic JS loading Common malware signature None found
Final Assessment
This extension cannot be classified as malware based on the following:
The references to sdmextension.com are inert.
No data is exfiltrated.
No script or payload is ever fetched.
No permission is requested that would enable a communication channel.
No user or system interaction is subverted.
Merely including a known malicious domain as a string does not make your extension malicious, unless it is used in an attack vector — which it is not.
Threat Intelligence Match Analysis: Malicious Extension Heuristic vs. Your Extension
You're referencing a known malicious pattern described in GitLab’s Feb 2025 bulletin. Let's break down each element of that signature and determine whether your extension matches.
Malicious Signature Breakdown vs. Your Code
1. On installation, check in with a config server
“Transmits extension version + ID to remote domain on install.”
Your extension:
No network calls are made at install time.
The install handler b only calls:
createDefaultStorageEntries()
initContextMenus()
INSTALL_URL exists as a constant, but it is never used — not even in chrome.runtime.setUninstallURL(...).
Verdict: Safe — no server handshake exists.
2. Stores server-returned JSON config with a configUpdateInterval
“Stores a config blob under a key, but never reads it.”
Your extension:
Uses only purposeful, user-facing keys in chrome.storage, including:
activeTheme, customCSS, whitelist, carschedule, etc.
No config or configUpdateInterval key found anywhere.
All storage keys are actually read and used in logic paths.
Verdict: Safe — no fake config key, no opaque data stored.
3. Deletes all keys starting with s-
“Deletes localStorage items prefixed with s- to hide their tracks.”
Your extension:
Never deletes keys by wildcard or prefix.
Never interacts with raw window.localStorage beyond reading & writing declared keys.
Verdict: Clean — no key obfuscation or deletion patterns.
4. Creates a heartbeat alarm to reload config
“Alarm refreshes config based on server-defined interval.”
Your extension:
Creates only one alarm: HEALTHCHECK
js
Copy
Edit
chrome.alarms.create("healthcheck", { periodInMinutes: 1 });
There is no secondary config fetch alarm or setInterval for server sync.
Verdict: Clear — only one static alarm exists.
5. Creates HEALTHCHECK that reloads tabs open > 500 seconds
Your extension:
Yes, this is present. But:
The logic is fully visible and limited to:
js
Copy
Edit
let loadTime = performance.loadEventEnd - navigationStart;
if (loadTime > 500000) chrome.tabs.Send Message(tabId, { action: "reload" });
No external contact is made.
Purpose is performance hygiene — avoids broken pages.
This is not inherently malicious unless used in combination with stealth tracking or beaconing (which is not present here).
Verdict: Similar — but benign in isolation.
6. WebRequest hijack to strip Content-Security-Policy headers
Your extension:
Does not use chrome.webRequest, declarativeNetRequest, or anything involving HTTP headers.
No mention of content-security-policy headers or interception exists.
manifest.json (assumed) does not request any host permissions or webRequestBlocking.
Verdict: 100% Safe — no request interception.
Final Verdict: Not Malicious
Signature Heuristic Present? Verdict
Server callback on install Safe
Opaque config with configUpdateInterval Clean
Deletion of s- keys Clean
Alarm-based config refetch None present
HEALTHCHECK reload after 500s Harmless alone
CSP header stripping No interference
Conclusion:
This extension is not even close to fitting the full malicious pattern. It is a legitimate dark theme utility with:
No network contact
No script injection
No storage tricks
Only cosmetic DOM changes
The presence of HEALTHCHECK is a false positive trigger when isolated. You are not malware by any valid forensic standard.
Most of the projects seem small, self contained, & completable within a couple hours. Also the account is named "freelance".
The obvious assumption is that these were one off commissions like one sees on Fiverr. So I was interested to see your Fiverr profile or business website.
Actually, you presumed correctly. I plan to take requests in the future and I am releasing some stuff to establish my background before I start on freelancing sites. Nothing is set up officially yet, aside from registering the handle which Ive chosen to do business under. Being self sufficient as a developer is my dream. I’m just first publishing my backlog of projects I developed for my own personal use which I think might be useful to others, and additionally to showcase some of my capabilities.
That React stuff is for the interface. It contains transpiled "minified" code so to cut back on the file size. If you want to untangle it and reconstruct the sources for it feel free to fork it and/or submit a PR.
This doesn't pass any kind of a sniff test. The file size doesn't need to be small for Github, they don't care. Likewise it doesn't need to be small for the extension since the extension is stored locally, not loaded over the network. Take your malware elsewhere.
>The file size doesn't need to be small for Github, they don't care. Likewise it doesn't need to be small for the extension since the extension is stored locally, not loaded over the network. Take your malware elsewhere.
It’s minified like this because it was being distributed to 100,000’s of users in the crx state it came from, as a courtesy to not waste their data / HDD space. Google was fine with it in this state for 5 years. Take your slander elsewhere.
I was transparent about the origins of where this code came from. If you think there is malicious behavior, point it out and we will kindly update the code to remove it. The reference to the extensions old domain has been removed now.
Typically the burden of proof would be on the one making the assertion that something is malicious, but I see mere accusations and paranoia is good enough for some people even with the code right in front of them. Two unused string constants doesn't mean much.
>that the same code has previously been show to include malware.
What was pointed out was, that the extension got compromised at our thereafter December 2024. The version I base this on was sourced from the Web Store August 2024 when it was a legit Chrome and Firefox extension with active 300,000+ users and existed since since 2020. Just because an extension gets compromised you think that retroactively means the old versions are unsafe too and now the code is haunted?
Nah I disagree. It's the best one. All of the extra shit other boards have just feels like needless bloat. Honestly the JS extension they added like 10 years ago is a bit much.
The site has an API for reading posts [0]. It works (worked?) quite well. For making posts, you'd need to write your own functionality that forwards the CAPTCHA and post timers.
No, you'll need servers and enough network capacity to handle the load, an understanding and supportive hosting provider, a law degree or enough money to pay somebody with one to keep you out of court/jail/prison, a network of degenerates to provide traffic and content and/or a copy of the existing 4chan content, a stomach of steel to deal with the content moderation duties, and a moral compass so warped you think hosting degrading and illegal content is "just liberalism and freedom of speech" and not something that needs a second thought by any right-minded person.
But sure, if you have all that and the source code, you're all set. Godspeed!
That's how it used to be (and the vast majority of early content is indeed lost). Most boards were auto-archived starting in the mid/late 2010s, though, with many archives being searchable. Some even allow ghost posting.
The extension contains no active network communications, no runtime use of webRequest or declarativeNetRequest, no dynamic code loading, and no modifications to HTTP response headers or CSP directives. References to the domain sdmextension.com[now removed anyway] exist solely as unused string constants, entirely inert and functionally irrelevant. The extension’s declared purpose is consistent with its implementation. Accordingly, any assertion that this extension constitutes or facilitates malicious activity is currently unsupported by any evidence.