Malicious Chrome extensions have been a steady source of incidents — credential capture, data exfiltration, ad injection, and lately a wave of extensions caught running crypto miners on the side. Most of these were installed legitimately, then went bad after an ownership change or an update.
Static scanning the extensions directory finds the obvious cases.
A clean scan doesn't mean an extension is safe. It means it doesn't match Blue Lantern's malware patterns today.
Prerequisites
- The Blue Lantern on-prem toolkit installed (the SaaS API also supports static scanning if you'd rather not run it locally).
- Credits allocated (or auto-refresh enabled).
Find your extensions directory
Extension storage paths by platform:
- macOS:
~/Library/Application\ Support/Google/Chrome/Default/Extensions - Linux:
~/.config/google-chrome/Default/Extensions/ - Chromium:
~/.config/chromium/Default/Extensions - Windows:
C:\Users\<Your_User_Name>\AppData\Local\Google\Chrome\User Data\Default\Extensions
Running the scan
Point the scanner at the directory:
bluelantern --target ~/Library/Application\ Support/Google/Chrome/Default/Extensions run malware-analyzer scan
Results are written to your configured data directory. Run bluelantern ui to browse them at http://localhost:9090/results.
If anything matches, the next step is figuring out which extension owns the matched files. Extensions live in subdirectories named by their Chrome extension ID, so a quick lookup against the Chrome Web Store will tell you what you're dealing with.