The Extension Auditor

Real-time behavioral monitoring for your Chrome extensions. Suspicious network activity, permission drift, ownership changes.

Your extensions have a security guard now. HOW IT WORKS The Extension Auditor builds a behavioral baseline for every installed extension over 48 hours. It logs which domains each extension contacts, what kind of requests it makes, and how often. After the baseline period, any deviation triggers an instant alert if an extension that only talked to its own API for six months suddenly starts sending POST requests to an unknown server, you'll know immediately. WHAT IT DETECTS → Behavioral Drift: Flags extensions that suddenly contact new, suspicious domains or change their network patterns after weeks or months of normal behavior. → Data Exfiltration Attempts: Detects unusually large outbound payloads to undocumented endpoints — the signature pattern of data staging and theft. → Permission Changes: Alerts you when an extension silently gains new permissions through an update. → Ownership Transfers: Monitors for developer identity changes, homepage URL swaps, and major version jumps — the hallmarks of extension acquisition attacks. → Suspicious Domain Patterns: Identifies connections to raw IP addresses, known disposable TLDs, temporary hosting, and randomly generated subdomains. KEY FEATURES → Threat Map Dashboard: A real-time visual network graph showing every extension's outbound connections. Red pulsing nodes highlight suspicious new domains. See exactly which extensions are talking to which servers. → One-Click Disable: Every alert includes a button to instantly disable the offending extension — no digging through settings. → Native Chrome Notifications: Danger and warning alerts appear as system notifications so you never miss a threat. → Green/Yellow/Red Shield Indicator: The toolbar icon shows your overall security status at a glance, matching Chrome's own security UI patterns. → Community Threat Feed (Optional): Opt in to share anonymized domain-only signals. When multiple users detect the same extension contacting a new suspicious domain, everyone gets an early warning — before any security researcher publishes findings. → Zero Cloud Dependency: All detection runs locally on your machine. No account required. No data sent anywhere unless you opt into the community feed. WHO THIS IS FOR → Privacy-conscious users who want to know exactly what their extensions are doing behind the scenes. → Security professionals and IT administrators managing extension risk across teams. → Developers who install many extensions and want runtime verification, not just install-time permission reviews. → Anyone alarmed by the DarkSpectre, AiFrame, or CVE-2026-0628 extension campaigns. PRIVACY FIRST The Extension Auditor stores all behavioral baselines, traffic logs, and alert history locally on your device using Chrome's built-in storage. It never collects your browsing history, page content, URLs, or personal information. The optional community threat feed only transmits cryptographically hashed extension identifiers and domain names — never full URLs, page content, or anything that could identify you.