u/Helpful-Spite7466

Hey guys,

so I'm currently learning web dev and I was experimenting with some things on localhost when I noticed a network request I didn't recognise. I gave a snippet of the headers and the response to Claude to figure out where it came from and what it was doing and it immediately told me that it was malware. I then found it among my extensions and it turns out it was actually SimilarWeb's extension.

When I told Claude it was similarweb it tried to ease the situation and told me that these behaviours are kinda expected from an extension like this and that I accepted their privacy policy when I downloaded this extension and these behaviours were surely stated there although some behaviours are still unusual for an analytics extension. Well, that surely did not put me at ease so I asked it to analyse the code properly and tell me why it initially thought the code was malware. It gave some really concerning red flags. So I unminified some js files in the extension and put Opus 4.7 to work.

Here are some snippets from Opus 4.7's findings:

"Obfuscation techniques used:

• Namespace impersonation: self.eslint to look like a dev tool
• Method names from Material UI icons: _FlashOffSharp, _HowToRegTwoTone, _QueueMusicTwoTone, _SnoozeOutlined, _ReplayTwoTone, _CellWifiOutlined, _OndemandVideoRounded, _InsertChartTwoTone, _KeyboardArrowLeftTwoTone, _FlightLandOutlined, _ScatterPlot, _EnhancedEncryption, etc. — meaningless decoys that scrape together-looking objects
• String-table indirection: at the top of each block, an object maps fake-looking keys to the real string values (e.g. pipeLine: "message", tempQuaternion2: "fetch", faLocationArrow: "ws", getAgent: "addEventListener"). The actual logic then uses t.pipeLine, t.getAgent, etc., so when you read the code it looks like opaque property accesses instead of addEventListener("message", ...).
• Event names that look like noise: antifor, antifor-ws, antifor-fk, antifor-fC, i124578g7j3c398lad9b37-events, sitesStorageUpdatedwr
• All gating on localStorage magic values so the dangerous features are dormant by default and remote-controllable..."

"...This is far worse than I expected. The WebRTC handler at lines 9541-9849 of frame.js is the smoking gun. Let me write up the comprehensive findings.

This is not the analytics behavior disclosed in the options.html consent screen ("share anonymous information with our analytics tool about your use of the Similarweb browser extension"). What's disclosed is web traffic measurement. What's implemented is a remotely-controllable, encrypted, in-browser instrumentation platform capable of:

• Reading any HTTP body or WebSocket frame on rule-matched URLs
• Capturing file uploads and re-uploading them to attacker-chosen servers
• Recording microphone + remote audio during WebRTC calls, specifically structured for AI-assistant voice capture
• All gated server-side, so the capabilities can be enabled per-URL-pattern by Similarweb at any moment without an extension update"

"For security researchers, the smoking guns are:

• The eslint namespace impersonation
• The Material-UI-icon naming pattern (clear deliberate obfuscation of an obfuscated-by-default minified bundle)
• The intercepted_payload_ string baked in
• The RTCPeerConnection hook with stream cloning
• The fact that every dangerous feature is feature-flagged via localStorage — i.e. designed to be enabled selectively/remotely"

As I said earlier I'm new to web dev and even a bigger noobie when it comes to security. I have no idea how to analyse this code and I'm not even sure if I can trust Claude about these observations but these claims are EXTREMELY CONCERNING.

I'm going to upload Claude's report to a repo. I don't want to upload the extension folder since I'm not sure what personal data it could contain. But I'll happily share it with anyone trustworthy in private.

Link to repo (report): https://github.com/assumann/similarweb-extension-analysis

Extension info

Version: 6.12.20_0

Extension ID: hoklmmgfnpapgjgcpechhaamimifchmp

Browser: Brave