browser-bridge

From the manifest alone, this extension is capable of sensitive operations: cookie access, global injection across all URLs/all frames at document_start in the MAIN world, and deep tab inspection via the ‘debugger’ permission (CDP). While malicious intent (e.g., exfiltration) cannot be confirmed without the referenced JS files, the permission breadth and execution timing are strong risk indicators and should be reviewed for outbound transmission or covert collection logic.

This fragment is strongly indicative of sensitive cookie harvesting. It requests cookies for the currently active tab via privileged extension messaging, displays raw cookie values in the UI, and copies the resulting cookie header string to the system clipboard. While the snippet shows no direct network exfiltration or obfuscation, the handling of authentication/session cookies and clipboard export are high-risk and could enable session hijacking/credential misuse if the extension is malicious, overly broad, or lacks strong user consent/necessity controls.

This module exhibits a strong remote-control/backdoor pattern: it accepts arbitrary JavaScript over a WebSocket channel, executes it in targeted browser tabs using eval/AsyncFunction in the page MAIN context, escalates to chrome.debugger Runtime.evaluate for CSP/context bypass, and sends execution results plus tab browsing metadata back to the controller. The localhost-only WebSocket reduces exposure to the wider network, but does not mitigate the fundamental high-risk behavior (remote code execution + privileged debugger usage + data transmission).

This module is highly suspicious and likely security-relevant: it explicitly removes the page’s CSP meta tags and establishes a DOM-triggered channel that forwards untrusted JSON commands to a Chrome extension with capabilities suggestive of sensitive data access (cookies) and powerful browser control/debugging (CDP/tabs/batch). It also reflects extension responses back into the page DOM, creating a data exposure path. Treat as a potential backchannel/data theft mechanism unless the extension’s behavior is independently verified as legitimate for a narrow user workflow.