Risk Score Breakdown
7.0
out of 10.0
HIGH RISK
ELEVATED RISK
Primary: TRACKER
Permissions
2.5 / 2.5
Code Analysis
0.9 / 2.5
Behavioral Correlations
0.6 / 3.0
Infrastructure
0.5 / 2.0
Listing details
Developer
Unknown
First-party
No
Flags
—
Users
Unknown
Rating
N/A
Version
2.3.0
Last updated
Unknown
Author Email Compromise (HIBP)
Author email not found in store metadata.
Behavioral Threat Analysis
1 compound threat pattern(s) detected by correlating findings across permissions, code patterns, and infrastructure.
Critical: 0
High: 1
Medium: 0
Silent Web Tracker
Tracking
high
medium confidence
Extension intercepts ALL web traffic via webRequest API and sends data externally. This enables invisible tracking of every website the user visits.
Evidence: <all_urls> + webRequest + network exfiltration
all_urls
web_request
exfiltration
Permission Attack Paths
Permission combinations that enable specific attack capabilities.
1 critical and 1 high-severity path(s) detected.
Universal Code Injection
+3.0
CRITICAL
Can inject arbitrary JavaScript into ANY webpage
scripting <all_urls>
Traffic Interception
+1.2
HIGH
Can intercept ALL web traffic
webRequest <all_urls>
Attack Narrative
Single-stage capability detected. May be benign, but warrants review.
ACCESS
Can access ALL websites including authenticated sessions
Indicators of Compromise (IOCs)
Extension Identifier
fakegmdomhmegokfomgmkbopjibonfcp
File Hash IOCs (SHA-256)
manifest.json
NOT IN VT
e7aaea682e6cc76a014162301a2793f9d5159134ae2c425448cadb40936cd58f
background/background.js
NOT IN VT
fa0659ef21239bdd2e1e79504574a000021dc1bf0ec35ec4b25a14468e6d9144
content_script/app.js
NOT IN VT
2d46e76deb75740c085fef5daf7738cb609b02520e846cba506a29189c7bc871
Host Permissions & Website Access
CRITICAL: This extension has
<all_urls> access - can read and modify data on ALL websites you visit!
Permission Scope: ALL_WEBSITES
Risk Level: HIGH
Host Permissions
1
Content Scripts
3
Sensitive Categories
0
Sensitive Domains
0
Risk Factors
[!] Has
Sample Host Permissions
Showing 1 of 1 host permission(s) requested by this extension:
Full access to ALL websites on the internet
Risk: CRITICAL | Category: all_urls
VirusTotal Domain Reputation
Domains are extracted from extension source and manifest (external URLs); known benign domains (CDNs, docs, standards) are not scanned. Only flagged (malicious/suspicious) domains are listed in the IOC section above.
0 domain(s) checked and found clean
8 domain(s) not found in VirusTotal database
Show unknown domains
www.dcuniverse.com*.hulu.comlocal.getmetastream.comdeveloper.chrome.comwww.disneyplus.com*.netflix.com*.twitch.tvapp.getmetastream.com
Raw URL Inventory
All URLs discovered in scripts and manifest (27)
| URL | Host | Source | Location |
|---|---|---|---|
| https://app.getmetastream.com | app.getmetastream.com | JS code | background.js:64 |
| http://local.getmetastream.com | local.getmetastream.com | JS code | background.js:67 |
| https://local.getmetastream.com | local.getmetastream.com | JS code | background.js:68 |
| http://localhost:8080 | localhost | JS code | background.js:69 |
| https://localhost:8080 | localhost | JS code | background.js:70 |
| https://developer.chrome.com/extensions/match_patterns | developer.chrome.com | JS code | background.js:93 |
| https://www.dcuniverse.com/* | www.dcuniverse.com | JS code | background.js:187 |
| https://docs.google.com/* | docs.google.com | JS code | background.js:191 |
| https://drive.google.com/* | drive.google.com | JS code | background.js:191 |
| https://www.disneyplus.com/* | www.disneyplus.com | JS code | background.js:195 |
| http://localhost:8080/#?${params.toString( | localhost | JS code | background.js:821 |
| https://clients2.google.com/service/update2/crx | clients2.google.com | manifest | manifest.json |
| https://app.getmetastream.com | — | external_scripts | background.js:64 |
| http://local.getmetastream.com | — | external_scripts | background.js:67 |
| https://local.getmetastream.com | — | external_scripts | background.js:68 |
| http://localhost:8080 | — | external_scripts | background.js:69 |
| https://localhost:8080 | — | external_scripts | background.js:70 |
| https://developer.chrome.com/extensions/match_patterns | — | external_scripts | background.js:93 |
| https://*.netflix.com/* | — | external_scripts | background.js:178 |
| https://*.hulu.com/* | — | external_scripts | background.js:183 |
| https://www.dcuniverse.com/* | — | external_scripts | background.js:187 |
| https://docs.google.com/* | — | external_scripts | background.js:191 |
| https://drive.google.com/* | — | external_scripts | background.js:191 |
| https://www.disneyplus.com/* | — | external_scripts | background.js:195 |
| https://*.twitch.tv/* | — | external_scripts | background.js:199 |
| http://localhost:8080/#?${params.toString()}` | — | external_scripts | background.js:821 |
| https://*/* | — | external_scripts | background.js:856 |
Domain Inventory — All Sources
11 unique domain(s) extracted from code, manifest, and AST analysis.
Each domain is checked against Domain Intelligence and VirusTotal.
✓ Clean / Unknown (11)
| Domain | Source | Domain Intel | VirusTotal |
|---|---|---|---|
| *.hulu.com | JS code | BENIGN (Unknown but no indicators) | 0 malicious, 0 suspicious, 0 harmless |
| *.netflix.com | JS code | BENIGN (Unknown but no indicators) | 0 malicious, 0 suspicious, 0 harmless |
| *.twitch.tv | JS code | BENIGN (Unknown but no indicators) | 0 malicious, 0 suspicious, 0 harmless |
| app.getmetastream.com | JS codeURL in code | BENIGN (Unknown but no indicators) | 0 malicious, 0 suspicious, 0 harmless |
| clients2.google.com | manifest | BENIGN (Legitimate Infrastructure) | Not scanned |
| developer.chrome.com | JS codeURL in code | BENIGN (Unknown but no indicators) | 0 malicious, 0 suspicious, 0 harmless |
| docs.google.com | JS codeURL in code | BENIGN (Legitimate Infrastructure) | Not scanned |
| drive.google.com | JS codeURL in code | BENIGN (Legitimate Infrastructure) | Not scanned |
| local.getmetastream.com | JS codeURL in code | BENIGN (Unknown but no indicators) | 0 malicious, 0 suspicious, 0 harmless |
| www.dcuniverse.com | JS codeURL in code | BENIGN (Unknown but no indicators) | 0 malicious, 0 suspicious, 0 harmless |
| www.disneyplus.com | JS codeURL in code | BENIGN (Unknown but no indicators) | 0 malicious, 0 suspicious, 0 harmless |
Advanced Malware Detection
Detection Verdict: MALWARE
Total Findings: 1 (1 critical, 0 high)
Analysis: Advanced behavioral analysis completed
Total Findings: 1 (1 critical, 0 high)
Analysis: Advanced behavioral analysis completed
⛔ CSP Manipulation Attack Detected
Removes Content-Security-Policy headers to enable remote code injection. This is a high-risk technique associated with malicious extensions.
DYNAMIC_CSP_REMOVAL
Severity: CRITICAL
Impact: Runtime CSP bypass for remote code injection
Evidence: background.js
IMMEDIATE REMOVAL REQUIRED
Threat Campaign Attribution (OSINT)
Attribution Confidence: NONE
No confirmed attribution to known campaigns
✓ No confirmed attribution to known threat campaigns based on OSINT research.
This does not mean the extension is safe - it may be a new campaign, unpublished threat, or benign software.
Continue with technical analysis to determine actual risk.
Ollama Security Assessment
Ollama assessment was not run. Re-run the analyzer with the --ollama flag (and ensure Ollama is running) to include an LLM security assessment in this report.
Prior Analysis History
NOTE: This extension was previously analyzed by this tool.
First Analyzed: 2026-04-21T06:15:47.336592+00:00
Previous Risk Score: 8.5/10
This is a local analysis record, not an external threat intelligence source.
First Analyzed: 2026-04-21T06:15:47.336592+00:00
Previous Risk Score: 8.5/10
This is a local analysis record, not an external threat intelligence source.
Previously Flagged Domains
Flagged Domains: 0
Dangerous Permissions:
- webRequest
Domain Intelligence Analysis
No suspicious domain patterns detected in static analysis
Technical Details
Extension ID
fakegmdomhmegokfomgmkbopjibonfcp
Version
2.3.0
Manifest Version
3
Permissions
9
Dangerous Permissions
webRequest
Can intercept all network requests
HIGH - Can spy on all your web traffic
<all_urls>
Access to ALL websites you visit
CRITICAL - Can read/modify all web pages
Dangerous Permission Combinations Detected
These permission combinations indicate potential malicious capabilities:
URL Harvesting Pattern
HIGH
Permissions:
tabs + storage
Can harvest visited URLs via tabs API and store them for later exfiltration
Traffic Interception
HIGH
Permissions:
webRequest + <all_urls>
Can intercept, modify, or block ALL web traffic including credentials
Universal Code Injection
CRITICAL
Permissions:
scripting + <all_urls>
Can inject JavaScript into ANY webpage - severe data theft risk
Threat Analysis
CSP Header Removal (declarativeNetRequest)
critical
REMOVES Content-Security-Policy header - CONFIRMED MALWARE TECHNIQUE that enables remote code execution
Context Analysis: This pattern is associated with 'CSP bypass' behavior. Review the code context to assess the actual risk.
Technique: CSP bypass
📍 background.js : Line 1
Tab URL to Network Sink 2x
high
Tab URL is accessed near a network call - review if URL data flows to external server
Context Analysis: This pattern is associated with 'URL exfiltration' behavior. Review the code context to assess the actual risk.
Technique: URL exfiltration
📍 background.js : Line 1
DNR Header Modification
high
Modifies HTTP headers via DeclarativeNetRequest - can remove security headers or inject tracking
Context Analysis: This pattern is associated with 'Header manipulation' behavior. Review the code context to assess the actual risk.
Technique: Header manipulation
📍 background.js : Line 1