Chrome Extension ID cmedhionkhpnakcndndgjdbohmhepckk Retains Remote Scriptlet Activation Path Since Feb 2025
A 10M-install YouTube ad blocker retains an inactive but remotely activatable arbitrary JavaScript execution path present since February 2025. Code history, related takedowns, and permission model indicate elevated supply-chain risk not addressed by current store processes. Activation would enable cross-origin data access without user-visible updates.
Store operators must now decide between revoking the Featured badge or requiring manifest changes that eliminate remote scriptlet loading. Independent audits of the remaining 30k+ ad-blocking extensions show similar remote rule engines in at least four additional packages exceeding 1M installs. Users should pin extension versions and monitor network requests to the configuration endpoint until remediation occurs.
Chrome Web Store: Extension removed or permissions restricted within 45 days of disclosure
Sources (3)
- [1]Primary Source(https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html)
- [2]Supporting Source(https://unit42.paloaltonetworks.com/adware-extension-clusters-2025/)
- [3]Supporting Source(https://chromewebstore.google.com/detail/cmedhionkhpnakcndndgjdbohmhepckk)