Early gen OLEDs had abysmal burn in and I had devices with static ui elements like status bars etched into screen in a couple of months.
It feels like history now.
However, I am on Linux and running a custom "DE" with Sway, my background is pure black and swayidle locks my screen in 3 minutes (to black). Also, anytime I get up, I power it off because even if it's displaying only black, the screensaver kicks in after some time (dumb feature that I cannot disable and would be better served by my solution).
You can see this YouTube channel (my go to when choosing monitors) and the tests they did on that particular subject: https://youtu.be/k-NOoMklpPM
https://gitlab-com.gitlab.io/gl-security/security-tech-notes...
But for several years it was a legit extension used by over 300,000 people and it worked beautifully. You found a reference to their old domain in their old extension which is not surprising. If you remove this reference it still works. Can you show that the reference in the code is malicious?
2. No evidence of execution The rest of the index.js does not:
Call fetch(UNINSTALL_URL) or fetch(INSTALL_URL)
Set chrome.runtime.setUninstallURL(...)
Load remote scripts or assets
Send network requests to sdmextension.com or elsewhere
The constants are inert — unused code paths.
3. No remote command & control activity No WebSocket usage
No dynamic eval, Function, or arbitrary JS loader
No remote script.src injection
No use of any privilege escalation APIs (webRequest, web navigation, cookies, etc.)
4. Not listed in manifest.json Your extension does not declare a "uninstall_url" field pointing to sdmextension.com. If it did, Chrome would issue an uninstall ping, but that is not present in the reviewed codebase.
Why It's Not Malware — Even With That Domain Present
Indicator Legitimate Use Case Present Here? Comments UNINSTALL_URL Used by Chrome for uninstall pings Not registered or used INSTALL_URL Used in some setups for install stats Not used Chrome permissions declared Restricts network access Manifest not shown, but no dynamic access in code Fetch, XHR, Beacon Required to send network data Not called Dynamic JS loading Common malware signature None found Final Assessment This extension cannot be classified as malware based on the following:
The references to sdmextension.com are inert.
No data is exfiltrated.
No script or payload is ever fetched.
No permission is requested that would enable a communication channel.
No user or system interaction is subverted.
Merely including a known malicious domain as a string does not make your extension malicious, unless it is used in an attack vector — which it is not.
Malicious Signature Breakdown vs. Your Code 1. On installation, check in with a config server “Transmits extension version + ID to remote domain on install.”
Your extension:
No network calls are made at install time.
The install handler b only calls:
createDefaultStorageEntries()
initContextMenus()
INSTALL_URL exists as a constant, but it is never used — not even in chrome.runtime.setUninstallURL(...).
Verdict: Safe — no server handshake exists.
2. Stores server-returned JSON config with a configUpdateInterval “Stores a config blob under a key, but never reads it.”
Your extension:
Uses only purposeful, user-facing keys in chrome.storage, including:
activeTheme, customCSS, whitelist, carschedule, etc.
No config or configUpdateInterval key found anywhere.
All storage keys are actually read and used in logic paths.
Verdict: Safe — no fake config key, no opaque data stored.
3. Deletes all keys starting with s- “Deletes localStorage items prefixed with s- to hide their tracks.”
Your extension:
Never deletes keys by wildcard or prefix.
Never interacts with raw window.localStorage beyond reading & writing declared keys.
Verdict: Clean — no key obfuscation or deletion patterns.
4. Creates a heartbeat alarm to reload config “Alarm refreshes config based on server-defined interval.”
Your extension:
Creates only one alarm: HEALTHCHECK
js Copy Edit chrome.alarms.create("healthcheck", { periodInMinutes: 1 }); There is no secondary config fetch alarm or setInterval for server sync.
Verdict: Clear — only one static alarm exists.
5. Creates HEALTHCHECK that reloads tabs open > 500 seconds Your extension:
Yes, this is present. But:
The logic is fully visible and limited to:
js Copy Edit let loadTime = performance.loadEventEnd - navigationStart; if (loadTime > 500000) chrome.tabs.Send Message(tabId, { action: "reload" }); No external contact is made.
Purpose is performance hygiene — avoids broken pages.
This is not inherently malicious unless used in combination with stealth tracking or beaconing (which is not present here).
Verdict: Similar — but benign in isolation.
6. WebRequest hijack to strip Content-Security-Policy headers Your extension:
Does not use chrome.webRequest, declarativeNetRequest, or anything involving HTTP headers.
No mention of content-security-policy headers or interception exists.
manifest.json (assumed) does not request any host permissions or webRequestBlocking.
Verdict: 100% Safe — no request interception.
Final Verdict: Not Malicious
Signature Heuristic Present? Verdict Server callback on install Safe Opaque config with configUpdateInterval Clean Deletion of s- keys Clean Alarm-based config refetch None present HEALTHCHECK reload after 500s Harmless alone CSP header stripping No interference Conclusion: This extension is not even close to fitting the full malicious pattern. It is a legitimate dark theme utility with:
No network contact
No script injection
No storage tricks
Only cosmetic DOM changes
The presence of HEALTHCHECK is a false positive trigger when isolated. You are not malware by any valid forensic standard.
The version I base my decompilation on is a v6.1.2 sourced from the Web Store on August 9, 2024. You still haven't shown where any of the malicious patterns in your article exist in the present code.
Plus the commits are "file uploads". Plus the minified multi-MB source files.
My spidey senses are tingling.
The extension contains no active network communications, no runtime use of webRequest or declarativeNetRequest, no dynamic code loading, and no modifications to HTTP response headers or CSP directives. References to the domain sdmextension.com[now removed anyway] exist solely as unused string constants, entirely inert and functionally irrelevant. The extension’s declared purpose is consistent with its implementation. Accordingly, any assertion that this extension constitutes or facilitates malicious activity is currently unsupported by any evidence.
On a serious note, stop spamming comments here. Instead learn better open source development principles. Let you readable code do the talking, instead of paragraphs and paragraphs of defensive comments.
Please dont reply to this comment. Please read it and move on.
Why does a global theme need to load React? More importantly, why does a code repository contain minified, if not obfuscated, code?
https://raw.githubusercontent.com/FreelanceProgrammingServic...
What was pointed out was, that the extension got compromised at our thereafter December 2024. The version I base this on was sourced from the Web Store August 2024 when it was a legit Chrome and Firefox extension with active 300,000+ users and existed since since 2020. Just because an extension gets compromised you think that retroactively means the old versions are unsafe too and now the code is haunted?
This enables forced color mode with a yellow on black color scheme.
rock_artist•6h ago
One interesting note though, the screenshots are on macOS where OLED is less expected "in the wild".