[TedDoesntTalk]

Remote loading of code has been banned by Google and Mozilla for several years now. The automated review tools pick up script injection and eval() calls. Unless you can craft something unique, you’re not going to get past the automated review.

I’m guessing the malware is something else besides a browser extension.

[asddubs]

stuff like setTimeout accepts strings too. I wonder how good those scanners are at detecting overwriting an initial innocent function that's later called in a timeout with a string, it can get fairly indirect

    let harmless = { func : function() { }, harmlessExternallyLoadedString : '' };
    let toAccess = 'func';
    //do stuff that seems legit
    if(true) {
        let toAccess = 'harmlessExternallyLoadedString';
    }
    harmless[toAccess] = 'alert(1);'; //imagine this being a fetch request
    //later on
    setTimeout(harmless.func, 1);

now imagine the logic for what othervar is set to is obfuscated a bit by a more complex logic tree, and the example was a bit less contrived.