Hacker News new | ask | show | jobs
by gnl 124 days ago
Couple of quick thoughts on how to protect yourself from having a formerly trustworthy extension go rogue on you:

- https://github.com/beaufortfrancois/extensions-update-notifi...

And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)

- brave://flags/#brave-extension-network-blocking

You can then create custom rules to filter extension traffic under brave://settings/shields/filters

e.g.:

  ! Obsidian Web
  *$domain=edoacekkjanmingkbkgjndndibhkegad
  @@||127.0.0.1^$domain=edoacekkjanmingkbkgjndndibhkegad
- Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually
2 comments
no-name-here 124 days ago
> Clone the GitHub repo, … build from source, update manually

I’d be ok to do that once per extension, but then I’ve got multiple PCs (m), multiple browser profiles (p), OS-reimages (r), and each extension (e) locally installed doesn’t sync — manually re-installing local extensions m x p x r x e times is too much for me. :-( (And that’s even if I’m only running Chrome, as opposed to multiple browser or Chromium derivatives.)

link
gnl 124 days ago
Yeah that one's too much for me too, I used to do this years ago, but not anymore. Especially since I found out Brave supports network blocking for extensions, which is something you generally set up once and then forget about it. I'm just giving people tools and ideas I didn't see mentioned elsewhere in the comments, it's up to everyone to figure out their particular threat scenarios and tradeoffs individually.

This could probably be automated though if someone wanted to tackle it. git pull, agentic code review, auto-build from source, install.

link
dotancohen 124 days ago 

  > Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually
This is a great idea. Are there any deterministic tools to audit an extension codebase?
link
gnl 124 days ago
I don't know, but if there were, I wouldn't expect them to do anywhere near as good a job or – perhaps somewhat counterintuitively – be anywhere near as reliable. Static rules only go so far when it comes to this stuff. And assuming that you're starting from a trustworthy base, and Claude Code (or similar) can focus its attention on recent changes to the repo in particular, I imagine sneaking actual malware in there would be pretty hard without throwing up a bunch of red flags.

See also:

- [0-Days \ red.anthropic.com]( https://red.anthropic.com/2026/zero-days/ )

EDIT: The main challenge here is more likely to be the noise, as the LLM is more likely to flag too much than too little, so I'd recommend putting together a prompt that has it group whatever it finds by severity and likelihood of malicious intent.

EDIT 2: Re Anthropic link above – worth pointing out that finding intentionally introduced malware when you have access to the source code and git history is a hell of a lot easier than finding a 0-day. The malware has to exfil data eventually or do ransomware stuff, good luck hiding that without raising the alarm, plus any attempt at aggressive obfuscation will raise the alarm on its own. I'm not saying it's impossible, I am saying that I think it's very very hard.

link