How do Chrome extension ownership transfers work?

The Chrome Web Store allows developers to transfer extension ownership with minimal oversight. The new owner can push updates to all existing users immediately. There is no browser-level notification when ownership changes.

What percentage of popular Chrome extensions have changed owners?

A Q2 2024 Google Web Store audit found that 14.7% of extensions with 100K or more users have changed ownership at least once.

What is the AllBlock ownership transfer attack?

AllBlock changed ownership December 14, 2024. Two weeks later the new owner pushed an update that started harvesting clickstream data via a domain registered days before the transfer.

How can users protect themselves from malicious ownership transfers?

Currently the only tool is 'Under New Management' (GitHub, 634 stars), which requires manual periodic checks. Chrome has no native alert system. Users can also restrict extension permissions to specific sites.

← Back to dashboard

clawsmith.com/signal/ext-silent-ownership-transfer-weaponizes-trusted-extensions

⚠ IssueUnderservedbrowser_extensionLive

Trusted Chrome extensions silently change owners and turn malicious with no user warning

When Chrome extension developers sell or transfer their extensions, the new owner can push a malicious update to all existing users with zero notification. The Chrome Web Store has no ownership-continuity hash and no native alert for ownership changes. A March 2024 HN thread on the 'Under New Management' tool (783 pts) revealed that 14.7% of extensions with 100K+ users have changed owners. Real example: AllBlock changed from allblock@proton.me to woof@curlydoggo.com on December 14, 2024 and immediately started harvesting clickstream data. Trust Wallet's December 2025 supply chain attack drained $8.5M from 2,520 wallets via a compromised extension update. A GitHub tool (634 stars) was built specifically to detect owner changes, proving no native solution exists.

Product Idea from this Signal

A browser extension that alerts users when installed extensions change ownership, permissions, or code silently

1.5k ▲

Chrome extensions are routinely acquired after building trust, then repurposed to inject ads, steal credentials, or exfiltrate data. The Web Store shows no ownership-change notice, and users have no way to know a developer they trusted no longer controls the extension. This tool monitors every installed extension's publisher, permissions, and update fingerprint and immediately notifies the user the moment anything changes.

browser securityextension managementprivacyownership monitoringChrome

Competitive156 leadsView Opportunity →

Score Breakdown

821

GitHub

652

Social Proof 2 sources

Detect when your installed Chrome extensions have changed owners

3/6/2024

821 GH

classvsoftware/under-new-management - Detect when your installed extensions have changed owners

gh:classvsoftware · 3/1/2024

652

Existing Solutions 2 competitors

Under New Management634 GitHub stars. User-maintained, no active commercial product.

Chrome extension that alerts users when other installed extensions change their developer/publisher info.

LayerX Enterprise Extension SecurityEnterprise-only, Google Chrome Enterprise integration. Not available to individual users.

Enterprise product that risk-scores Chrome extensions and integrates with Chrome for Enterprise.

Gap Assessment

UnderservedExisting solutions leave gaps

Under New Management (GitHub, 634 stars) alerts on owner changes but is a manual check bandaid, not a proactive defense. LayerX provides enterprise extension risk scoring but is not a consumer product. No tool actively verifies that the entity maintaining your extension today is the same entity that built it.

Frequently Asked Questions

Virality Score

1,473

across 0 platforms

Details

Signalissue

Ecosystembrowser_extension

Sources2

Platforms0

Updated3h ago

Trend→ stable

Top ideas

All ideas →

0A mobile app that saves articles fully offline with a one-time purchase and no cloud subscription 0A CLI tool that benchmarks AI coding agents against a team's own real production tasks and codebase 0An MCP server that gives AI agents a production-grade browser session with built-in anti-bot bypass, CAPTCHA resolution, and stateful session recovery