index.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"> 
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>ExtSentry - Browser Extension Threat Intelligence</title>
<meta name="description" content="Community-driven browser extension threat intelligence. IOC feeds for malicious and sensitive browser extensions across 16+ security platform formats.">
<link rel="icon" type="image/png" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAF5UlEQVR42u1Wa2yUZRZ+zvtd5sZ02pleKHRKaVpUYMFYuhtQLMo9Ij/UifGHITEBjSZ7VbIL2cxOdtHVH2yNsdHdKFGjaAEh+ENijDrGC0QroECltNR2Wra009K5d+b73vfsD0BZYcoiyo+NJ9+PL2++fM85z3mfcx7g5/iBweGw4PZ2jQHB4Rb9JwULA4IB+hb8gvdLfh+GCIchfix8+n7lIMLEk79u5Pat2+TTf9zHz256mJkFMxO3fMfG5RK9PM3nfvCHG2c2v7JqVUk4HBbMrKU8nir76T/38/6dzPcvZb7nFubIhq1dqxocAKFt4XUrW1ctaD7PxmQYYtLKmQFgStosefu2iuz6SCSi8PZq/aVMJnQ8+mkQr78xITu7LHzdLe0jX989fV93gJv4pmCg/Ln5FVX/4ApMAcL4QQmEAEFEPN01ZfWoRYEj5PvrJzeWb0LtmrIj19WJPcdPMrp7Da3v37rlC2jdsWG/e23dC3tF9d5BV0VdYXBgAWq9cyKRiOJJcIr2qKWlRY9Go/acmrpHC6nxpx5ctlidiY9o99XI1PVeh7QSqtTZ0QlrKAHb5YaaNRXtlkKnpwaHemP8kJ4ev2uaWN0x6/QXTf+ETQBfCqe4fKJRAIA2erpgOF30+K635K0NM2Aapld1JUBjOWSHM1A2c1ZlkTrai1JzityXjyOQz+prVtcCfaecTWdCCthRFGZS/TKzdpOmafdNDeCXzTWiMj6kNQ5nAMPk8aRFIxnFEoDTKZDMCcw7k9B/z4Db74QVGx4weydOnFh4UG8ECld8B9IAEZHsUypR4yvF7Uua9bk62o4nc9usREpS2rJsEGIKGMlKVZmzZJzRswBYV64bPDG9LIhfTXuk+sVuHwFcTJKiSOXUAVj8zObQy6Hld1YYSqpDh2EPjqYD996w23joHn0w4DHGAJUShLwAmfcv1es3Lz2ZBz72M0gZQV+hfN4m17plr3IJ/GC+5Fy4qAXtoZBGRPK1hobfoeebrXcUxmCJhJIfdioS5gZ919HP0LqoVcwvy48MJtfZoKpEQGur2NDswPjgnq8Ikfm25JEdn9rvMOs3L5+7pG7ljFoiGjunBp5MBYSzdGnh6hldm2d7guahY5xJwujXNVjg5DTwsJbjRB8wMwcEMgAHBeX9ivePAp6EQH0e5O83hOyxFC+sdhorbvAsoXfjUQ5DUATqci0ghELoSeXsvx+KGW3Saf7J7UKqxM1+CZE26Qm9TN/pcdOxoIvG5uggr8H9bGqDwVLjmX5CrMtt0OuGpo+awvggUdiOE/EDAAiRS0vxosUDACtN79rZMD7XgBMrS93qsxqfdZzAX7roC/6Xpwo6wPMxnauxGAJgnm3uCtDfWgn8uMcoNAAnq4AtF7B85XuBBGEx8Ntnayu5b1pZ4SNDyA6duK9S5LmJWnkZfgED4Fv1jQeD4tRGAV4PqC1ufWKnz1EPANwAx2RLqZgMKQyYSipqBAxdMuJZC5alSNgsx4aVeexL/s3B/fRhp48ORw/YT26PqeoBBTkBEGlCWk6o/hUl/h0meLLSiw0i9jeAhEa8AkL2smYvC3jtnFJIg7VC3lKZvK10i0sLaZTGHEbB7WTMIoKfwFOdpjvFlgiWU2lyAGmgeO+LTsI3uyEZQIluaoeHx/T1Lk23pUKGGRtnTOWKnlNaTCrlKPfyO5ZtDucK8BDgJKAikTtwd0EO0Wv57OU8QdEEojgrl6w9sWcIsAdTQBKguU7HA4tsOSeulBwCYEsWPpdzdzSRe68SMLxA7jSw/SUg+34LdIrCvipTop27JUSAIODBMv/BQn25PQBYbwLZvQ6NP6kPPKYLwKkRcPa5yMZd8To+H883wTjSATEEMGpqNHF6/PAtfkfj9bAwks2jn1XyaNpq3rKiJN4zqsRfOtLjSwAVwX8PnKu2ZufnQ5vb17Qc4r2ZgmLzNBGtBRYJAkKAdi3c+LeMrQW85w/O0S2u2oT+rxY9/N38oAsqJ1zDoGsN+HP8/8Z/AEvenPDa70lmAAAAAElFTkSuQmCC">
<link rel="preconnect" href="https://fonts.googleapis.com">
<link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:wght@400;500;600;700&family=IBM+Plex+Sans:wght@400;500;600;700;800&display=swap" rel="stylesheet">
<script crossorigin src="https://cdnjs.cloudflare.com/ajax/libs/react/18.2.0/umd/react.production.min.js"></script>
<script crossorigin src="https://cdnjs.cloudflare.com/ajax/libs/react-dom/18.2.0/umd/react-dom.production.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.21/lodash.min.js"></script>
<style>
*{box-sizing:border-box;margin:0;padding:0}
::-webkit-scrollbar{width:6px;height:6px}
::-webkit-scrollbar-track{background:#0a0c10}
::-webkit-scrollbar-thumb{background:#21262d;border-radius:3px}
::selection{background:#58a6ff33}
input:focus,button:focus,textarea:focus{outline:none}
code{font-family:"IBM Plex Mono",monospace}
strong{color:#e6edf3;font-weight:600}
body{margin:0;background:#0a0c10;color:#c8ccd4;font-family:"IBM Plex Sans",system-ui,sans-serif}
</style>
</head>
<body>
<div id="root"></div>
<script>
const {
  useState,
  useMemo,
  useCallback
} = React;
let RAW_MAL = [];

let RAW_SENS = [];
const parse = r => ({
  name: r[0] || r[6] || r[1],
  id: r[1],
  wildcard: r[2],
  category: r[3],
  severity: r[4],
  link: r[5],
  comment: r[6],
  sha256: r[7] || ''
});
let DATA_MAL = RAW_MAL.map(parse);
let DATA_SENS = RAW_SENS.map(parse);
let CATS_MAL = _.countBy(DATA_MAL, 'category');
let CATS_SENS = _.countBy(DATA_SENS, 'category');
const CAT_COLORS = {
  malware: '#f85149',
  compromised: '#db6d28',
  scam: '#d29922',
  PUP: '#a371f7',
  cryptocurrency: '#58a6ff',
  'PROXY/VPN': '#58a6ff',
  RMM: '#6e7681',
  'Credential Access': '#f85149',
  'Defense Evasion': '#a371f7',
  'password manager': '#3fb950'
};
const SV = {
  malicious: 'CRITICAL',
  phishing: 'HIGH',
  deceptive: 'HIGH',
  offensive: 'MEDIUM',
  greyware: 'MEDIUM',
  sensitive: 'LOW',
  privacy: 'LOW',
  'Defense Evasion': 'HIGH'
};
const SVC = {
  CRITICAL: '#f85149',
  HIGH: '#db6d28',
  MEDIUM: '#d29922',
  LOW: '#3fb950'
};
const PAGE_SIZE = 50;
const mono = "'IBM Plex Mono', monospace";
const sans = "'IBM Plex Sans', system-ui, sans-serif";
const S = {
  page: {
    background: '#0a0c10',
    color: '#c8ccd4',
    minHeight: '100vh',
    fontFamily: sans
  },
  card: {
    background: '#0d1117',
    border: '1px solid #1b1f27',
    borderRadius: 10,
    padding: 20
  },
  code: {
    fontFamily: mono,
    fontSize: 12,
    background: '#0d1117',
    border: '1px solid #1b1f27',
    borderRadius: 8,
    padding: '16px 20px',
    overflowX: 'auto',
    lineHeight: 1.75,
    color: '#8b949e',
    whiteSpace: 'pre-wrap',
    wordBreak: 'break-all'
  },
  dot: c => ({
    width: 7,
    height: 7,
    borderRadius: '50%',
    background: c,
    display: 'inline-block',
    flexShrink: 0
  }),
  tag: c => ({
    display: 'inline-flex',
    alignItems: 'center',
    gap: 4,
    fontSize: 10,
    fontWeight: 600,
    fontFamily: mono,
    padding: '3px 10px',
    borderRadius: 12,
    background: c + '12',
    color: c,
    letterSpacing: '0.3px'
  })
};
function Code({
  children
}) {
  return /*#__PURE__*/React.createElement("div", {
    style: S.code
  }, children);
}
function Callout({
  type,
  children
}) {
  const cfg = {
    tip: {
      border: '#3fb950',
      icon: 'TIP'
    },
    warn: {
      border: '#d29922',
      icon: 'WARN'
    },
    critical: {
      border: '#f85149',
      icon: 'CRIT'
    },
    info: {
      border: '#58a6ff',
      icon: 'NOTE'
    }
  };
  const c = cfg[type] || cfg.info;
  return /*#__PURE__*/React.createElement("div", {
    style: {
      borderLeft: '3px solid ' + c.border,
      padding: '12px 16px',
      margin: '12px 0',
      background: '#0d1117',
      borderRadius: '0 8px 8px 0'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 8,
      alignItems: 'flex-start'
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 10,
      fontWeight: 700,
      color: c.border,
      fontFamily: mono,
      letterSpacing: '0.5px',
      marginTop: 2,
      flexShrink: 0
    }
  }, c.icon), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 12.5,
      color: '#b1bac4',
      lineHeight: 1.7
    }
  }, children)));
}
function PathLine({
  children,
  note
}) {
  return /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'baseline',
      gap: 8,
      padding: '4px 0',
      fontSize: 12,
      fontFamily: mono
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      color: '#484f58',
      flexShrink: 0
    }
  }, "▸"), /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff',
      wordBreak: 'break-all'
    }
  }, children), note && /*#__PURE__*/React.createElement("span", {
    style: {
      color: '#484f58',
      fontSize: 11,
      fontStyle: 'italic',
      flexShrink: 0
    }
  }, note));
}
function Section({
  title,
  children
}) {
  return /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      marginBottom: 16
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 13,
      fontWeight: 700,
      color: '#e6edf3',
      marginBottom: 14,
      paddingBottom: 12,
      borderBottom: '1px solid #1b1f27'
    }
  }, title), children);
}
function MiniTable({
  headers,
  rows
}) {
  return /*#__PURE__*/React.createElement("div", {
    style: {
      overflowX: 'auto',
      borderRadius: 8,
      border: '1px solid #1b1f27',
      margin: '10px 0'
    }
  }, /*#__PURE__*/React.createElement("table", {
    style: {
      width: '100%',
      borderCollapse: 'collapse',
      fontSize: 12,
      fontFamily: mono
    }
  }, /*#__PURE__*/React.createElement("thead", null, /*#__PURE__*/React.createElement("tr", null, headers.map((h, i) => /*#__PURE__*/React.createElement("th", {
    key: i,
    style: {
      padding: '8px 12px',
      textAlign: 'left',
      color: '#484f58',
      fontWeight: 600,
      borderBottom: '1px solid #1b1f27',
      background: '#0d1117',
      fontSize: 10,
      letterSpacing: '0.5px',
      textTransform: 'uppercase'
    }
  }, h)))), /*#__PURE__*/React.createElement("tbody", null, rows.map((row, i) => /*#__PURE__*/React.createElement("tr", {
    key: i
  }, row.map((c, j) => /*#__PURE__*/React.createElement("td", {
    key: j,
    style: {
      padding: '7px 12px',
      borderBottom: '1px solid #0d1117',
      color: j === 0 ? '#e6edf3' : '#8b949e',
      background: i % 2 === 0 ? 'transparent' : '#0d111708'
    }
  }, c)))))));
}
function CheckItem({
  children
}) {
  return /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 10,
      padding: '6px 0',
      fontSize: 12.5,
      color: '#b1bac4',
      lineHeight: 1.6
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      color: '#484f58',
      fontSize: 14,
      flexShrink: 0,
      marginTop: -1
    }
  }, "▢"), /*#__PURE__*/React.createElement("span", null, children));
}
function StepCard({
  num,
  title,
  children
}) {
  return /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      marginBottom: 12
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 10,
      marginBottom: 10
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      width: 28,
      height: 28,
      borderRadius: '50%',
      background: '#58a6ff15',
      border: '1px solid #58a6ff33',
      display: 'flex',
      alignItems: 'center',
      justifyContent: 'center',
      fontSize: 13,
      fontWeight: 700,
      color: '#58a6ff',
      fontFamily: mono,
      flexShrink: 0
    }
  }, num), /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 14,
      fontWeight: 700,
      color: '#e6edf3'
    }
  }, title)), children);
}
function OsToggle({
  os,
  setOs
}) {
  return /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 4,
      marginBottom: 14
    }
  }, ['windows', 'macos', 'linux'].map(o => /*#__PURE__*/React.createElement("button", {
    key: o,
    onClick: () => setOs(o),
    style: {
      background: os === o ? '#161b22' : 'transparent',
      border: os === o ? '1px solid #58a6ff33' : '1px solid #1b1f27',
      color: os === o ? '#58a6ff' : '#6e7681',
      padding: '5px 12px',
      borderRadius: 6,
      cursor: 'pointer',
      fontSize: 11,
      fontWeight: os === o ? 700 : 400,
      fontFamily: mono
    }
  }, o === 'windows' ? 'Windows' : o === 'macos' ? 'macOS' : 'Linux')));
}
function GhBtn({
  href,
  label
}) {
  return /*#__PURE__*/React.createElement("a", {
    href: href,
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      display: 'inline-flex',
      alignItems: 'center',
      gap: 6,
      padding: '5px 12px',
      background: '#161b22',
      border: '1px solid #30363d',
      borderRadius: 6,
      color: '#c8ccd4',
      fontSize: 11,
      textDecoration: 'none',
      fontFamily: mono,
      fontWeight: 500
    }
  }, /*#__PURE__*/React.createElement("svg", {
    width: "14",
    height: "14",
    viewBox: "0 0 16 16",
    fill: "#c8ccd4"
  }, /*#__PURE__*/React.createElement("path", {
    d: "M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"
  })), label);
}
const DASHBOARD_DESC = "Browser extensions operate with deep access to everything users do online - reading page content, intercepting requests, accessing cookies, session tokens, and credentials. This attack surface has become one of the most exploited vectors in modern cybersecurity. In December 2024, a single phishing campaign compromised over 35 Chrome extensions affecting 2.6 million users, including the Cyberhaven security extension, by abusing OAuth permissions to push malicious updates that exfiltrated Facebook tokens and session cookies. A year later in December 2025, the Trust Wallet Chrome extension was hijacked through a leaked Web Store API key, draining $8.5 million in cryptocurrency from 2,520 wallets through a single compromised update. The DarkSpectre threat actor operated three campaigns (ShadyPanda, GhostPoster, Zoom Stealer) across Chrome, Edge, and Firefox over seven years, impacting 8.8 million users through over 100 extensions that acted as sleeper agents - behaving normally for months or years before activating data theft, search hijacking, and corporate intelligence collection. In late 2025, two fake AI assistant extensions impersonating AITOPIA were found exfiltrating ChatGPT and DeepSeek conversations from 900,000 users while carrying a Google Featured badge. In February 2026, the AiFrame campaign deployed 32 extensions disguised as AI tools to siphon browsing data across thousands of victims. Attackers use multiple strategies: purchasing established extensions from developers, phishing developer accounts via OAuth abuse, compromising Web Store API keys, or planting sleeper extensions that build trust before weaponization. Extensions bypass traditional endpoint security because they are already trusted, update automatically, and hold excessive permissions. Most organizations have zero visibility into what extensions employees are running, and most SIEMs have no detection rules for this vector. A single compromised extension can harvest every credential entered in the browser, steal active SSO sessions, exfiltrate sensitive documents, and execute local binaries via nativeMessaging - all while appearing as a legitimate tool. <strong>Monitoring and blocking known-malicious extensions is not optional - it is a fundamental security control.</strong>";
function TracesPanel() {
  const [browser, setBrowser] = useState('chrome');
  const [os, setOs] = useState('windows');
  const B = {
    windows: '%LOCALAPPDATA%\\Google\\Chrome\\User Data',
    macos: '~/Library/Application Support/Google/Chrome',
    linux: '~/.config/google-chrome'
  }[os];
  const EB = {
    windows: '%LOCALAPPDATA%\\Microsoft\\Edge\\User Data',
    macos: '~/Library/Application Support/Microsoft Edge',
    linux: '~/.config/microsoft-edge'
  }[os];
  const FB = {
    windows: '%APPDATA%\\Mozilla\\Firefox\\Profiles\\PROFILE',
    macos: '~/Library/Application Support/Firefox/Profiles/PROFILE',
    linux: '~/.mozilla/firefox/PROFILE'
  }[os];
  return /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      marginBottom: 20,
      borderLeft: '3px solid #f85149',
      borderColor: '#1b1f27',
      borderLeftColor: '#f85149'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 14,
      fontWeight: 700,
      color: '#e6edf3',
      marginBottom: 6
    }
  }, "Investigation Scenario"), /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 13,
      color: '#8b949e',
      lineHeight: 1.8,
      margin: 0
    }
  }, "You have discovered a browser extension you do not recognize on a user workstation. What traces do you look for to determine ", /*#__PURE__*/React.createElement("strong", null, "when"), " and ", /*#__PURE__*/React.createElement("strong", null, "how"), " the extension was installed, whether it was user-initiated or pushed via policy, and whether an incident has occurred?")), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 6,
      marginBottom: 12,
      flexWrap: 'wrap'
    }
  }, [{
    id: 'chrome',
    label: 'Chrome / Chromium'
  }, {
    id: 'edge',
    label: 'Microsoft Edge'
  }, {
    id: 'firefox',
    label: 'Firefox'
  }, {
    id: 'general',
    label: 'General Forensics'
  }].map(b => /*#__PURE__*/React.createElement("button", {
    key: b.id,
    onClick: () => setBrowser(b.id),
    style: {
      background: browser === b.id ? '#161b22' : 'transparent',
      border: browser === b.id ? '1px solid #58a6ff33' : '1px solid #1b1f27',
      color: browser === b.id ? '#58a6ff' : '#6e7681',
      padding: '8px 16px',
      borderRadius: 8,
      cursor: 'pointer',
      fontSize: 12,
      fontWeight: browser === b.id ? 700 : 400
    }
  }, b.label))), browser !== 'general' && /*#__PURE__*/React.createElement(OsToggle, {
    os: os,
    setOs: setOs
  }), browser === 'chrome' && /*#__PURE__*/React.createElement("div", null, os === 'windows' && /*#__PURE__*/React.createElement(Section, {
    title: "Download Mechanism (BITS) - Windows Only"
  }, /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12.5,
      color: '#8b949e',
      lineHeight: 1.7,
      marginBottom: 12
    }
  }, "Chrome on Windows uses ", /*#__PURE__*/React.createElement("strong", null, "Background Intelligent Transfer Service (BITS)"), " to download extensions."), /*#__PURE__*/React.createElement(Code, null, ['chrome.exe', '  > loads BitsProxy.dll', '    > svchost.exe -k netsvcs', '      > loads qmgr.dll (BITS Queue Manager)', '      > HTTP(S) GET > downloads .crx3 file'].join('\n')), /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Event ID', 'Log Channel', 'Details'],
    rows: [['59', 'Microsoft-Windows-Bits-Client/Operational', 'Download initiated - source URL + destination'], ['60', 'Microsoft-Windows-Bits-Client/Operational', 'Download completed - bytes + timestamp'], ['4', 'Microsoft-Windows-Bits-Client/Operational', 'Transfer job created - may contain extension name']]
  }), /*#__PURE__*/React.createElement(Callout, {
    type: "tip"
  }, "EventID 59 gives the source URL, EventID 60 the completion time. Cross-reference with proxy logs.")), os === 'macos' && /*#__PURE__*/React.createElement(Callout, {
    type: "info"
  }, "Chrome downloads extensions directly via HTTPS on macOS. Check the Unified Log for network activity: ", /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "log show --predicate 'process == \"Google Chrome\"' --last 1h")), os === 'linux' && /*#__PURE__*/React.createElement(Callout, {
    type: "info"
  }, "Chrome downloads extensions directly via HTTPS on Linux. Check journalctl, strace, or proxy logs for download activity."), /*#__PURE__*/React.createElement(Section, {
    title: "Network / Proxy Logs"
  }, /*#__PURE__*/React.createElement(Code, null, ['# Chrome Web Store download URLs (all platforms)', 'https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/<ID>/<VER>.crx3', 'https://edgedl.me.gvt1.com/edgedl/chromewebstore/<HASH>/<VER>.crx', 'https://clients2.google.com/service/update2/crx?response=redirect&x=id%3D<EXT_ID>%26...', 'https://clients2.googleusercontent.com/crx/blobs/<HASH>/<VER>.crx', '', '# Suspicious: .crx/.crx3 from non-Google domains = sideloaded'].join('\n'))), /*#__PURE__*/React.createElement(Section, {
    title: "Filesystem Artifacts"
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      fontWeight: 600,
      color: '#58a6ff',
      marginBottom: 8,
      textTransform: 'uppercase',
      letterSpacing: '1px'
    }
  }, "Installed Extensions"), /*#__PURE__*/React.createElement("div", {
    style: {
      background: '#0d1117',
      border: '1px solid #1b1f27',
      borderRadius: 8,
      padding: 14,
      marginBottom: 14
    }
  }, /*#__PURE__*/React.createElement(PathLine, {
    note: "primary"
  }, B, "/Default/Extensions/EXT_ID/VERSION/"), /*#__PURE__*/React.createElement(PathLine, {
    note: "manifest"
  }, B, "/Default/Extensions/EXT_ID/VERSION/manifest.json"), /*#__PURE__*/React.createElement(PathLine, {
    note: "local storage"
  }, B, "/Default/Local Extension Settings/EXT_ID/"), /*#__PURE__*/React.createElement(PathLine, {
    note: "sync storage"
  }, B, "/Default/Sync Extension Settings/EXT_ID/"), /*#__PURE__*/React.createElement(PathLine, {
    note: "IndexedDB"
  }, B, "/Default/IndexedDB/chrome-extension_EXT_ID_0.indexeddb.leveldb/"), /*#__PURE__*/React.createElement(PathLine, {
    note: "rules"
  }, B, "/Default/Extension Rules/EXT_ID/")), os === 'windows' && /*#__PURE__*/React.createElement(React.Fragment, null, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      fontWeight: 600,
      color: '#58a6ff',
      marginBottom: 8,
      textTransform: 'uppercase',
      letterSpacing: '1px'
    }
  }, "Download Staging (Windows)"), /*#__PURE__*/React.createElement("div", {
    style: {
      background: '#0d1117',
      border: '1px solid #1b1f27',
      borderRadius: 8,
      padding: 14,
      marginBottom: 14
    }
  }, /*#__PURE__*/React.createElement(PathLine, {
    note: "BITS"
  }, "C:\\Program Files\\chrome_BITS_NNNNN\\*.crx3"), /*#__PURE__*/React.createElement(PathLine, {
    note: "webstore cache"
  }, B, "\\Webstore Downloads\\*.crx"), /*#__PURE__*/React.createElement(PathLine, {
    note: "temp"
  }, "%TEMP%\\scoped_dirXXXXX\\CRX_INSTALL\\"))), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      fontWeight: 600,
      color: '#58a6ff',
      marginBottom: 8,
      textTransform: 'uppercase',
      letterSpacing: '1px'
    }
  }, "Profile Metadata"), /*#__PURE__*/React.createElement("div", {
    style: {
      background: '#0d1117',
      border: '1px solid #1b1f27',
      borderRadius: 8,
      padding: 14,
      marginBottom: 14
    }
  }, /*#__PURE__*/React.createElement(PathLine, {
    note: "master config"
  }, B, "/Default/Preferences"), /*#__PURE__*/React.createElement(PathLine, {
    note: "tamper-evident"
  }, B, "/Default/Secure Preferences"), /*#__PURE__*/React.createElement(PathLine, {
    note: "history (SQLite)"
  }, B, "/Default/History"), /*#__PURE__*/React.createElement(PathLine, {
    note: "profiles"
  }, B, "/Local State")), /*#__PURE__*/React.createElement(Callout, {
    type: "tip"
  }, /*#__PURE__*/React.createElement("strong", null, "Secure Preferences - extensions.settings.EXT_ID:"), /*#__PURE__*/React.createElement("br", null), /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "install_time"), " - Chrome epoch (us since 1601-01-01) | ", /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "location"), " - 1=WebStore 4=External 5=Registry/JSON 10=Policy | ", /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "from_webstore"), " - false = investigate")), /*#__PURE__*/React.createElement(Section, {
    title: os === 'windows' ? "Windows Registry Artifacts" : "External Extensions / Policy Push"
  }, os === 'windows' && /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Registry Path', 'Purpose'],
    rows: [['HKLM\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallForcelist', 'Force-installed (GPO/MDM)'], ['HKLM\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallBlocklist', 'Blocklisted'], ['HKLM\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionSettings', 'Per-extension overrides'], ['HKLM\\Software\\Google\\Chrome\\Extensions\\EXT_ID', 'External extensions (other software)'], ['HKCU\\SOFTWARE\\Google\\Chrome\\NativeMessagingHosts\\HOST', 'NativeMessaging manifests']]
  }), os === 'macos' && /*#__PURE__*/React.createElement(React.Fragment, null, /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Path', 'Purpose'],
    rows: [['~/Library/Application Support/Google/Chrome/External Extensions/EXT_ID.json', 'Per-user external extension (no local CRX since Chrome 44)'], ['/Library/Application Support/Google/Chrome/External Extensions/EXT_ID.json', 'System-wide external (must be root-owned)'], ['/Library/Google/Chrome/NativeMessagingHosts/HOST.json', 'System NativeMessaging'], ['~/Library/Application Support/Google/Chrome/NativeMessagingHosts/HOST.json', 'User NativeMessaging'], ['/Library/Managed Preferences/com.google.Chrome.plist', 'MDM policies (Jamf, Intune)']]
  }), /*#__PURE__*/React.createElement(Callout, {
    type: "warn"
  }, "On macOS, external extensions only install from Chrome Web Store update_url (no local CRX since Chrome 44).")), os === 'linux' && /*#__PURE__*/React.createElement(React.Fragment, null, /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Path', 'Purpose'],
    rows: [['/opt/google/chrome/extensions/EXT_ID.json', 'System-wide external extension JSON'], ['/usr/share/google-chrome/extensions/EXT_ID.json', 'System-wide external (alternative)'], ['~/.config/google-chrome/External Extensions/EXT_ID.json', 'Per-user external (can point to local CRX!)'], ['/etc/opt/chrome/NativeMessagingHosts/HOST.json', 'System NativeMessaging'], ['~/.config/google-chrome/NativeMessagingHosts/HOST.json', 'User NativeMessaging'], ['/etc/opt/chrome/policies/managed/policy.json', 'Managed enterprise policies']]
  }), /*#__PURE__*/React.createElement(Callout, {
    type: "critical"
  }, "On Linux, external extension JSON can auto-install local .crx without user prompt. Check /opt/google/chrome/extensions/ for unexpected files."))), /*#__PURE__*/React.createElement(Section, {
    title: "Process / Command Line Traces"
  }, /*#__PURE__*/React.createElement(Code, null, [os === 'windows' ? 'chrome.exe --load-extension="C:\\path\\to\\extension"' : os === 'macos' ? '"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --load-extension="/path/ext"' : 'google-chrome --load-extension="/path/ext"', '', '# Search for in process creation logs:', 'CommandLine contains: .crx | .crx3 | --load-extension | --install-extension | --disable-extensions-except'].join('\n')), /*#__PURE__*/React.createElement(Callout, {
    type: "warn"
  }, "Check the ", /*#__PURE__*/React.createElement("strong", null, "parent process"), ". If browser spawned by ", os === 'macos' ? 'osascript, python, launchd' : os === 'linux' ? 'cron, bash, systemd' : 'powershell.exe, cmd.exe, wscript.exe', " with extension flags - highly suspicious.")), /*#__PURE__*/React.createElement(Section, {
    title: "Chrome Database Deep Dive"
  }, /*#__PURE__*/React.createElement(Code, null, ['# Key fields in Secure Preferences > extensions.settings.EXT_ID:', '# install_time: Chrome epoch (us since 1601-01-01)', '# location: 1=WebStore 4=External 5=Registry/JSON 10=Policy', '# from_webstore: false = sideloaded | state: 0=disabled 1=enabled', '', '# Convert timestamp: datetime(1601,1,1) + timedelta(microseconds=install_time)', '# Query History: sqlite3 "History" "SELECT url,title FROM urls WHERE url LIKE \'chrome-extension://%\';"'].join('\n')))), browser === 'edge' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement(Callout, {
    type: "info"
  }, "Edge is Chromium-based. Most Chrome traces apply with different base paths."), /*#__PURE__*/React.createElement(Section, {
    title: "Edge Extension Paths"
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      background: '#0d1117',
      border: '1px solid #1b1f27',
      borderRadius: 8,
      padding: 14,
      marginBottom: 14
    }
  }, /*#__PURE__*/React.createElement(PathLine, {
    note: "extensions"
  }, EB, "/Default/Extensions/EXT_ID/VERSION/"), /*#__PURE__*/React.createElement(PathLine, {
    note: "preferences"
  }, EB, "/Default/Preferences"), /*#__PURE__*/React.createElement(PathLine, {
    note: "secure prefs"
  }, EB, "/Default/Secure Preferences"), /*#__PURE__*/React.createElement(PathLine, {
    note: "local state"
  }, EB, "/Local State"))), /*#__PURE__*/React.createElement(Section, {
    title: "Policy / External Extensions"
  }, os === 'windows' && /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Registry Path', 'Purpose'],
    rows: [['HKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist', 'Force-installed'], ['HKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionSettings', 'Per-extension overrides'], ['HKLM\\Software\\Microsoft\\Edge\\Extensions\\EXT_ID', 'External extensions'], ['HKCU\\SOFTWARE\\Microsoft\\Edge\\NativeMessagingHosts\\HOST', 'NativeMessaging'], ['HKLM\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\Browser\\*', 'Intune/MDM']]
  }), os === 'macos' && /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Path', 'Purpose'],
    rows: [['~/Library/Application Support/Microsoft Edge/External Extensions/EXT_ID.json', 'Per-user external'], ['~/Library/Application Support/Microsoft Edge/NativeMessagingHosts/HOST.json', 'User NativeMessaging'], ['/Library/Managed Preferences/com.microsoft.Edge.plist', 'MDM-managed Edge policies']]
  }), os === 'linux' && /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Path', 'Purpose'],
    rows: [['/usr/share/microsoft-edge/extensions/EXT_ID.json', 'System-wide external'], ['~/.config/microsoft-edge/NativeMessagingHosts/HOST.json', 'User NativeMessaging'], ['/etc/opt/edge/policies/managed/policy.json', 'Managed enterprise policies']]
  }))), browser === 'firefox' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement(Callout, {
    type: "info"
  }, "Firefox extensions use ", /*#__PURE__*/React.createElement("strong", null, ".xpi"), " format (ZIP). Profiles at ", os === 'windows' ? /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "%APPDATA%\\Mozilla\\Firefox\\Profiles\\") : os === 'macos' ? /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "~/Library/Application Support/Firefox/Profiles/") : /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "~/.mozilla/firefox/"), " with random names."), /*#__PURE__*/React.createElement(Section, {
    title: "Filesystem Artifacts"
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      fontWeight: 600,
      color: '#58a6ff',
      marginBottom: 8,
      textTransform: 'uppercase',
      letterSpacing: '1px'
    }
  }, "Installed Add-ons"), /*#__PURE__*/React.createElement("div", {
    style: {
      background: '#0d1117',
      border: '1px solid #1b1f27',
      borderRadius: 8,
      padding: 14,
      marginBottom: 14
    }
  }, /*#__PURE__*/React.createElement(PathLine, {
    note: "installed XPI"
  }, FB, "/extensions/addon_id.xpi"), /*#__PURE__*/React.createElement(PathLine, {
    note: "staged"
  }, FB, "/extensions/staged/addon_id.xpi"), /*#__PURE__*/React.createElement(PathLine, {
    note: "storage"
  }, FB, "/storage/default/moz-extension+++ADDON_GUID/")), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      fontWeight: 600,
      color: '#58a6ff',
      marginBottom: 8,
      textTransform: 'uppercase',
      letterSpacing: '1px'
    }
  }, "Profile Metadata"), /*#__PURE__*/React.createElement("div", {
    style: {
      background: '#0d1117',
      border: '1px solid #1b1f27',
      borderRadius: 8,
      padding: 14,
      marginBottom: 14
    }
  }, /*#__PURE__*/React.createElement(PathLine, {
    note: "master DB"
  }, FB, "/extensions.json"), /*#__PURE__*/React.createElement(PathLine, {
    note: "startup cache"
  }, FB, "/addonStartup.json.lz4"), /*#__PURE__*/React.createElement(PathLine, {
    note: "ext prefs"
  }, FB, "/extension-preferences.json"), /*#__PURE__*/React.createElement(PathLine, {
    note: "user prefs"
  }, FB, "/prefs.js")), /*#__PURE__*/React.createElement(Callout, {
    type: "tip"
  }, /*#__PURE__*/React.createElement("strong", null, "extensions.json"), " - per-addon: ", /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "installDate"), " (epoch ms), ", /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "sourceURI"), " (download URL!), ", /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "location"), ", ", /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "signedState"))), /*#__PURE__*/React.createElement(Section, {
    title: "Network / Proxy Logs"
  }, /*#__PURE__*/React.createElement(Code, null, ['https://addons.mozilla.org/firefox/downloads/file/FILE_ID/ADDON-VERSION.xpi', 'https://addons.mozilla.org/api/v5/addons/addon/ADDON_ID/', '', '# Suspicious: *.xpi from non-Mozilla domains = potential sideload'].join('\n'))), /*#__PURE__*/React.createElement(Section, {
    title: "Process / CLI / Configuration"
  }, /*#__PURE__*/React.createElement(Code, null, [os === 'windows' ? 'firefox.exe -install-global-extension "C:\\path\\addon.xpi"' : os === 'macos' ? '"/Applications/Firefox.app/Contents/MacOS/firefox" -install-global-extension "/path/addon.xpi"' : 'firefox -install-global-extension "/path/addon.xpi"', '', '# Suspicious prefs.js values:', 'user_pref("xpinstall.signatures.required", false);   // Allows unsigned!', 'user_pref("extensions.autoDisableScopes", 0);       // Disables scope checks!'].join('\n')), /*#__PURE__*/React.createElement(Callout, {
    type: "critical"
  }, "xpinstall.signatures.required = false means someone bypassed Mozilla signing.")), /*#__PURE__*/React.createElement(Section, {
    title: "Global Install Locations / Policies"
  }, /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Path', 'Purpose'],
    rows: os === 'windows' ? [['C:\\Program Files\\Mozilla Firefox\\browser\\extensions\\ADDON.xpi', 'Global extensions'], ['C:\\Program Files\\Mozilla Firefox\\distribution\\policies.json', 'Enterprise policies'], ['HKLM\\SOFTWARE\\Mozilla\\Firefox\\Extensions', 'Registry-installed'], ['HKCU\\SOFTWARE\\Mozilla\\NativeMessagingHosts\\HOST', 'NativeMessaging']] : os === 'macos' ? [['/Applications/Firefox.app/.../browser/extensions/ADDON.xpi', 'Global extensions'], ['/Applications/Firefox.app/.../distribution/policies.json', 'Enterprise policies'], ['~/Library/Application Support/Mozilla/NativeMessagingHosts/HOST.json', 'User NativeMessaging'], ['/Library/Application Support/Mozilla/NativeMessagingHosts/HOST.json', 'System NativeMessaging']] : [['/usr/lib/firefox/browser/extensions/ADDON.xpi', 'Global extensions'], ['/etc/firefox/policies/policies.json', 'System-wide policies'], ['~/.mozilla/native-messaging-hosts/HOST.json', 'User NativeMessaging'], ['/usr/lib/mozilla/native-messaging-hosts/HOST.json', 'System NativeMessaging']]
  }), /*#__PURE__*/React.createElement(Callout, {
    type: "warn"
  }, "Check policies.json for ExtensionSettings with installation_mode: \"force_installed\". If modified outside MDM, treat as compromised."))), browser === 'general' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement(Section, {
    title: "Investigation Checklist"
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'grid',
      gridTemplateColumns: '1fr 1fr',
      gap: 12
    }
  }, [{
    t: '1. Identify',
    items: ['Extension ID / GUID?', 'Which browser(s) and OS?', 'Present on multiple machines?', 'In known threat intel feeds? (ExtSentry)']
  }, {
    t: '2. Timeline',
    items: ['Chrome: Secure Preferences > install_time', 'Firefox: extensions.json > installDate', 'Last update time?', 'User activity around that time?']
  }, {
    t: '3. Install Method',
    items: ['User-initiated (Web Store / AMO)?', 'Policy push (GPO/MDM/Jamf)?', 'Sideloaded by other software?', 'CLI install? Check process logs']
  }, {
    t: '4. Analyze',
    items: ['manifest.json permissions', 'content_scripts targets', 'JS obfuscation, eval(), remote code', 'nativeMessaging host?']
  }, {
    t: '5. Scope Impact',
    items: ['Extension storage for exfiltrated data', 'Proxy/firewall logs for C2', 'How many machines affected?', 'Sensitive sites targeted?']
  }, {
    t: '6. Preserve Evidence',
    items: ['Copy full extension directory', 'Export Preferences / extensions.json', 'Screenshot extension pages', 'Collect browser process logs']
  }].map(s => /*#__PURE__*/React.createElement("div", {
    key: s.t
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      fontWeight: 600,
      color: '#58a6ff',
      marginBottom: 8,
      textTransform: 'uppercase',
      letterSpacing: '1px'
    }
  }, s.t), s.items.map((item, i) => /*#__PURE__*/React.createElement(CheckItem, {
    key: i
  }, item)))))), /*#__PURE__*/React.createElement(Section, {
    title: "High-Risk Permission Indicators"
  }, /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Permission', 'Risk', 'Implication'],
    rows: [['<all_urls> / *://*/*', 'Critical', 'Access ALL websites'], ['webRequest + webRequestBlocking', 'Critical', 'Intercept/modify ALL HTTP (MitM)'], ['cookies', 'Critical', 'Read/write cookies any site'], ['nativeMessaging', 'Critical', 'Execute local binaries'], ['management', 'Critical', 'Manage other extensions'], ['debugger', 'Critical', 'Full DevTools protocol'], ['downloads', 'High', 'Download files silently'], ['history', 'High', 'Read browsing history'], ['clipboardRead', 'High', 'Read clipboard'], ['proxy', 'High', 'Redirect all traffic'], ['tabs', 'Medium', 'See all tab URLs/titles']]
  })), /*#__PURE__*/React.createElement(Section, {
    title: "Cross-Browser, Cross-OS Path Reference"
  }, /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Browser', 'Windows', 'macOS', 'Linux'],
    rows: [['Chrome', '%LOCALAPPDATA%\\Google\\Chrome\\...\\Extensions\\', '~/Library/Application Support/Google/Chrome/.../Extensions/', '~/.config/google-chrome/.../Extensions/'], ['Edge', '%LOCALAPPDATA%\\Microsoft\\Edge\\...\\Extensions\\', '~/Library/Application Support/Microsoft Edge/.../Extensions/', '~/.config/microsoft-edge/.../Extensions/'], ['Brave', '%LOCALAPPDATA%\\BraveSoftware\\...\\Extensions\\', '~/Library/Application Support/BraveSoftware/.../Extensions/', '~/.config/BraveSoftware/.../Extensions/'], ['Firefox', '%APPDATA%\\Mozilla\\Firefox\\Profiles\\*\\extensions\\', '~/Library/Application Support/Firefox/Profiles/*/extensions/', '~/.mozilla/firefox/*/extensions/'], ['Opera', '%APPDATA%\\Opera Software\\...\\Extensions\\', '~/Library/Application Support/com.operasoftware.Opera/Extensions/', '~/.config/opera/Extensions/']]
  }), /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Browser', 'Policies (macOS)', 'Policies (Linux)'],
    rows: [['Chrome', '/Library/Managed Preferences/com.google.Chrome.plist', '/etc/opt/chrome/policies/managed/*.json'], ['Edge', '/Library/Managed Preferences/com.microsoft.Edge.plist', '/etc/opt/edge/policies/managed/*.json'], ['Firefox', 'Firefox.app/.../distribution/policies.json', '/etc/firefox/policies/policies.json']]
  }), /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Browser', 'NativeMessaging (macOS)', 'NativeMessaging (Linux)'],
    rows: [['Chrome', '~/Library/.../Google/Chrome/NativeMessagingHosts/', '~/.config/google-chrome/NativeMessagingHosts/'], ['Edge', '~/Library/.../Microsoft Edge/NativeMessagingHosts/', '~/.config/microsoft-edge/NativeMessagingHosts/'], ['Firefox', '~/Library/.../Mozilla/NativeMessagingHosts/', '~/.mozilla/native-messaging-hosts/']]
  })), /*#__PURE__*/React.createElement(Section, {
    title: "Analysis Commands"
  }, /*#__PURE__*/React.createElement(Code, null, ['# Python: Chrome extension timestamps (adjust path per OS)', 'import json; from datetime import datetime, timedelta', 'prefs = json.load(open("Secure Preferences"))', 'for eid, info in prefs.get("extensions",{}).get("settings",{}).items():', '    t = info.get("install_time","0")', '    if t and t != "0":', '        dt = datetime(1601,1,1) + timedelta(microseconds=int(t))', '        print(dt, info.get("location","?"), eid, info.get("manifest",{}).get("name","?"))', '', '# Python: Firefox addons', 'import json', 'for a in json.load(open("extensions.json")).get("addons",[]):', '    print(a.get("installDate",""), a.get("id",""), a.get("name",""), a.get("sourceURI",""))', '', '# Linux: find extension manifests', 'find ~/.config/google-chrome ~/.config/microsoft-edge ~/.mozilla/firefox -name manifest.json -path "*/extensions/*" 2>/dev/null'].join('\n')))));
}
function RemediationPanel() {
  return /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement(Callout, {
    type: "critical"
  }, /*#__PURE__*/React.createElement("strong", null, "Preserve evidence before remediation."), " Copy extension directories, export Preferences/extensions.json, and screenshot browser extension pages before removing anything."), /*#__PURE__*/React.createElement(StepCard, {
    num: "1",
    title: "Immediate Containment"
  }, /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12.5,
      color: '#8b949e',
      lineHeight: 1.7,
      marginBottom: 10
    }
  }, "Isolate the machine if the extension is actively exfiltrating data. Kill all browser processes."), /*#__PURE__*/React.createElement(Code, null, ['# Windows', 'taskkill /IM chrome.exe /F && taskkill /IM msedge.exe /F && taskkill /IM firefox.exe /F', '# macOS', 'pkill -9 "Google Chrome" && pkill -9 "Microsoft Edge" && pkill -9 firefox', '# Linux', 'pkill -9 chrome && pkill -9 msedge && pkill -9 firefox', '', '# Block C2 domains at firewall/proxy immediately'].join('\n')), /*#__PURE__*/React.createElement(Callout, {
    type: "warn"
  }, "If extension has nativeMessaging permissions, check for native binaries before assuming browser kill is sufficient.")), /*#__PURE__*/React.createElement(StepCard, {
    num: "2",
    title: "Extension Removal - Chromium (Chrome / Edge)"
  }, /*#__PURE__*/React.createElement(Code, null, ['# Delete extension dir (adjust base per OS)', '# WIN: %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Extensions\\EXT_ID', '# MAC: ~/Library/Application Support/Google/Chrome/Default/Extensions/EXT_ID', '# LNX: ~/.config/google-chrome/Default/Extensions/EXT_ID', '', '# Also clean: Local Extension Settings, Sync Extension Settings, Extension Rules, IndexedDB', '', '# Remove external extension files:', '# MAC: ~/Library/.../Google/Chrome/External Extensions/EXT_ID.json', '# LNX: /opt/google/chrome/extensions/EXT_ID.json', '# WIN: HKLM\\Software\\Google\\Chrome\\Extensions\\EXT_ID', '', '# Remove NativeMessaging hosts + policy-pushed extensions (per-OS paths above)'].join('\n'))), /*#__PURE__*/React.createElement(StepCard, {
    num: "3",
    title: "Extension Removal - Firefox"
  }, /*#__PURE__*/React.createElement(Code, null, ['# Delete extension (adjust per OS)', '# WIN: %APPDATA%\\Mozilla\\Firefox\\Profiles\\PROFILE\\extensions\\ADDON_ID.xpi', '# MAC: ~/Library/.../Firefox/Profiles/PROFILE/extensions/ADDON_ID.xpi', '# LNX: ~/.mozilla/firefox/PROFILE/extensions/ADDON_ID.xpi', '', '# Clean: storage/default/moz-extension+++GUID', '# Remove global installs from browser/extensions/ dir', '# Check and clean policies.json', '# Ensure prefs.js: xpinstall.signatures.required != false'].join('\n'))), /*#__PURE__*/React.createElement(StepCard, {
    num: "4",
    title: "Credential Rotation / Impact Assessment"
  }, /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Permission', 'Compromised', 'Action'],
    rows: [['cookies / <all_urls>', 'All session tokens', 'Invalidate sessions, rotate passwords'], ['webRequest', 'All HTTP traffic', 'Rotate all passwords entered'], ['nativeMessaging', 'Full system access', 'Full assessment, consider re-image'], ['clipboardRead', 'Clipboard contents', 'Rotate copied credentials'], ['downloads', 'May have pulled malware', 'Full malware scan']]
  }), /*#__PURE__*/React.createElement(Callout, {
    type: "critical"
  }, "nativeMessaging or debugger permissions = treat endpoint as fully compromised. Capture a memory dump for forensic analysis before reimaging.")), /*#__PURE__*/React.createElement(StepCard, {
    num: "5",
    title: "Enterprise-Wide Response"
  }, /*#__PURE__*/React.createElement(Code, null, ['# Blocklist across platforms:', '# Chrome GPO: ExtensionInstallBlocklist = EXT_ID', '# Chrome MDM: com.google.Chrome.plist > ExtensionInstallBlocklist', '# Chrome Linux: /etc/opt/chrome/policies/managed/blocklist.json', '# Firefox: policies.json > ExtensionSettings > installation_mode: blocked', '', '# Scan fleet: Splunk | Sentinel | Elastic queries using ExtSentry feeds'].join('\n')), /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Control', 'Implementation'],
    rows: [['Allowlist-only', 'ExtensionInstallAllowlist + block * in ExtensionSettings'], ['Block all', 'ExtensionInstallBlocklist = *'], ['No dev mode', 'DeveloperToolsAvailability = 2'], ['No sideload', 'BlockExternalExtensions = 1'], ['Network', 'Block .crx/.xpi from unapproved domains']]
  })), /*#__PURE__*/React.createElement(StepCard, {
    num: "6",
    title: "Post-Incident Verification"
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'grid',
      gridTemplateColumns: '1fr 1fr',
      gap: 12
    }
  }, /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      fontWeight: 600,
      color: '#58a6ff',
      marginBottom: 8,
      textTransform: 'uppercase',
      letterSpacing: '1px'
    }
  }, "Verify Removal"), /*#__PURE__*/React.createElement(CheckItem, null, "Extension dir gone from all profiles"), /*#__PURE__*/React.createElement(CheckItem, null, "Not in Secure Preferences / extensions.json"), /*#__PURE__*/React.createElement(CheckItem, null, "No policy keys forcing re-install"), /*#__PURE__*/React.createElement(CheckItem, null, "No external extension files"), /*#__PURE__*/React.createElement(CheckItem, null, "NativeMessaging entries cleaned")), /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      fontWeight: 600,
      color: '#58a6ff',
      marginBottom: 8,
      textTransform: 'uppercase',
      letterSpacing: '1px'
    }
  }, "Verify No Persistence"), /*#__PURE__*/React.createElement(CheckItem, null, "No scheduled tasks / cron / launchd agents"), /*#__PURE__*/React.createElement(CheckItem, null, "No unexpected startup items"), /*#__PURE__*/React.createElement(CheckItem, null, "Browser sync disabled or cleaned"), /*#__PURE__*/React.createElement(CheckItem, null, "Monitor 48-72h for re-install attempts"))), /*#__PURE__*/React.createElement(Callout, {
    type: "warn"
  }, /*#__PURE__*/React.createElement("strong", null, "Browser sync can re-install removed extensions."), " Disable sync, remove from synced profile via browser dashboard, then re-enable.")));
}
function DataTable({
  data
}) {
  const [search, setSearch] = useState('');
  const [activeCats, setActiveCats] = useState(new Set());
  const [page, setPage] = useState(0);
  const [sortCol, setSortCol] = useState(null);
  const [sortDir, setSortDir] = useState('asc');
  const [expandedId, setExpandedId] = useState(null);
  const [copiedId, setCopiedId] = useState(null);
  const cats = useMemo(() => _.countBy(data, 'category'), [data]);
  const toggleCat = useCallback(cat => {
    setActiveCats(p => {
      const n = new Set(p);
      n.has(cat) ? n.delete(cat) : n.add(cat);
      return n;
    });
    setPage(0);
  }, []);
  const filtered = useMemo(() => {
    let d = data;
    if (search) {
      const q = search.toLowerCase();
      d = d.filter(r => r.name.toLowerCase().includes(q) || r.id.toLowerCase().includes(q) || r.comment.toLowerCase().includes(q) || r.sha256 && r.sha256.toLowerCase().includes(q));
    }
    if (activeCats.size) d = d.filter(r => activeCats.has(r.category));
    if (sortCol) d = [...d].sort((a, b) => sortDir === 'asc' ? (a[sortCol] || '').localeCompare(b[sortCol] || '') : (b[sortCol] || '').localeCompare(a[sortCol] || ''));
    return d;
  }, [data, search, activeCats, sortCol, sortDir]);
  const paged = filtered.slice(page * PAGE_SIZE, (page + 1) * PAGE_SIZE);
  const totalPages = Math.ceil(filtered.length / PAGE_SIZE);
  const handleSort = col => {
    if (sortCol === col) {
      setSortDir(d => d === 'asc' ? 'desc' : 'asc');
    } else {
      setSortCol(col);
      setSortDir('asc');
    }
  };
  return /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("input", {
    value: search,
    onChange: e => {
      setSearch(e.target.value);
      setPage(0);
    },
    placeholder: "Search name, ID, description, or SHA256...",
    style: {
      width: '100%',
      padding: '11px 16px',
      background: '#0d1117',
      border: '1px solid #1b1f27',
      borderRadius: 8,
      color: '#c8ccd4',
      fontSize: 13,
      fontFamily: mono,
      marginBottom: 12
    }
  }), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      flexWrap: 'wrap',
      gap: 5,
      marginBottom: 14
    }
  }, Object.entries(cats).sort((a, b) => b[1] - a[1]).map(([cat, count]) => /*#__PURE__*/React.createElement("button", {
    key: cat,
    onClick: () => toggleCat(cat),
    style: {
      background: activeCats.has(cat) ? '#161b22' : 'transparent',
      border: activeCats.has(cat) ? '1px solid #58a6ff33' : '1px solid #1b1f27',
      color: activeCats.has(cat) ? '#58a6ff' : '#6e7681',
      borderRadius: 20,
      padding: '4px 12px',
      cursor: 'pointer',
      fontSize: 11,
      fontFamily: mono,
      display: 'inline-flex',
      alignItems: 'center',
      gap: 5
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: S.dot(CAT_COLORS[cat] || '#6e7681')
  }), cat, " (", count, ")")), (activeCats.size > 0 || search) && /*#__PURE__*/React.createElement("button", {
    onClick: () => {
      setActiveCats(new Set());
      setSearch('');
      setPage(0);
    },
    style: {
      background: '#f8514915',
      border: '1px solid #f8514933',
      color: '#f85149',
      borderRadius: 20,
      padding: '4px 12px',
      cursor: 'pointer',
      fontSize: 11
    }
  }, "Clear")), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      color: '#484f58',
      marginBottom: 8,
      fontFamily: mono
    }
  }, filtered.length, " results"), /*#__PURE__*/React.createElement("div", {
    style: {
      overflowX: 'auto',
      borderRadius: 8,
      border: '1px solid #1b1f27'
    }
  }, /*#__PURE__*/React.createElement("table", {
    style: {
      width: '100%',
      borderCollapse: 'collapse',
      fontSize: 12,
      fontFamily: mono
    }
  }, /*#__PURE__*/React.createElement("thead", null, /*#__PURE__*/React.createElement("tr", {
    style: {
      background: '#0d1117'
    }
  }, [['name', 'Name'], ['id', 'Extension ID'], ['category', 'Category'], ['severity', 'Severity'], ['comment', 'Info']].map(([c, l]) => /*#__PURE__*/React.createElement("th", {
    key: c,
    onClick: () => handleSort(c),
    style: {
      padding: '10px 12px',
      textAlign: 'left',
      color: '#484f58',
      fontWeight: 600,
      cursor: 'pointer',
      borderBottom: '1px solid #1b1f27',
      fontSize: 10,
      letterSpacing: '0.5px',
      textTransform: 'uppercase',
      whiteSpace: 'nowrap'
    }
  }, l, " ", sortCol === c ? sortDir === 'asc' ? '\u2191' : '\u2193' : '\u2195')), /*#__PURE__*/React.createElement("th", {
    style: {
      padding: '10px 12px',
      borderBottom: '1px solid #1b1f27',
      fontSize: 10,
      color: '#484f58'
    }
  }, "Ref"))), /*#__PURE__*/React.createElement("tbody", null, paged.map((row, i) => {
    const sv = SV[row.severity] || 'MEDIUM';
    return /*#__PURE__*/React.createElement("tr", {
      key: row.id + '-' + i,
      onMouseEnter: e => e.currentTarget.style.background = '#0d1117',
      onMouseLeave: e => e.currentTarget.style.background = 'transparent'
    }, /*#__PURE__*/React.createElement("td", {
      style: {
        padding: '7px 12px',
        maxWidth: 200,
        overflow: 'hidden',
        textOverflow: 'ellipsis',
        whiteSpace: 'nowrap',
        color: '#c8ccd4'
      }
    }, row.name || '-'), /*#__PURE__*/React.createElement("td", {
      style: {
        padding: '7px 12px',
        color: '#6e7681',
        fontSize: 11
      }
    }, /*#__PURE__*/React.createElement("span", {
      title: 'Click to copy: ' + row.id + (row.sha256 ? '\nSHA256: ' + row.sha256 : ''),
      onClick: () => {
        navigator.clipboard && navigator.clipboard.writeText(row.id);
        setExpandedId(prev => prev === row.id ? null : row.id);
        setCopiedId(row.id);
        setTimeout(() => setCopiedId(prev => prev === row.id ? null : prev), 1500);
      },
      style: {
        cursor: 'pointer',
        fontFamily: 'monospace',
        background: expandedId === row.id ? '#1c2333' : 'transparent',
        padding: expandedId === row.id ? '2px 6px' : '0',
        borderRadius: 4,
        border: expandedId === row.id ? '1px solid #30363d' : '1px solid transparent',
        display: 'inline-block',
        wordBreak: expandedId === row.id ? 'break-all' : 'normal',
        whiteSpace: expandedId === row.id ? 'normal' : 'nowrap',
        transition: 'all 0.15s ease'
      }
    }, expandedId === row.id ? row.id : (row.id.length > 24 ? row.id.slice(0, 24) + '\u2026' : row.id),
    copiedId === row.id && /*#__PURE__*/React.createElement("span", {
      style: {
        marginLeft: 6,
        color: '#3fb950',
        fontSize: 10,
        fontFamily: 'sans-serif'
      }
    }, '\u2713 copied'))), /*#__PURE__*/React.createElement("td", {
      style: {
        padding: '7px 12px'
      }
    }, /*#__PURE__*/React.createElement("span", {
      style: {
        color: CAT_COLORS[row.category] || '#6e7681',
        fontSize: 11
      }
    }, row.category)), /*#__PURE__*/React.createElement("td", {
      style: {
        padding: '7px 12px'
      }
    }, /*#__PURE__*/React.createElement("span", {
      style: {
        ...S.tag(SVC[sv] || '#6e7681')
      }
    }, sv)), /*#__PURE__*/React.createElement("td", {
      style: {
        padding: '7px 12px',
        maxWidth: 240,
        overflow: 'hidden',
        textOverflow: 'ellipsis',
        whiteSpace: 'nowrap',
        color: '#6e7681',
        fontSize: 11
      }
    }, row.comment), /*#__PURE__*/React.createElement("td", {
      style: {
        padding: '7px 12px'
      }
    }, row.link && row.link !== 'fixme' && row.link !== 'N/A' && /*#__PURE__*/React.createElement("a", {
      href: row.link,
      target: "_blank",
      rel: "noopener noreferrer",
      style: {
        color: '#58a6ff',
        textDecoration: 'none',
        fontSize: 11
      }
    }, '\u2197')));
  })))), totalPages > 1 && /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      justifyContent: 'center',
      gap: 6,
      marginTop: 14
    }
  }, /*#__PURE__*/React.createElement("button", {
    onClick: () => setPage(Math.max(0, page - 1)),
    disabled: page === 0,
    style: {
      padding: '6px 14px',
      background: '#0d1117',
      border: '1px solid #1b1f27',
      borderRadius: 6,
      color: page === 0 ? '#21262d' : '#c8ccd4',
      cursor: page === 0 ? 'default' : 'pointer',
      fontSize: 12
    }
  }, '\u2190', " Prev"), /*#__PURE__*/React.createElement("span", {
    style: {
      padding: '6px 14px',
      color: '#6e7681',
      fontSize: 12,
      fontFamily: mono
    }
  }, page + 1, " / ", totalPages), /*#__PURE__*/React.createElement("button", {
    onClick: () => setPage(Math.min(totalPages - 1, page + 1)),
    disabled: page >= totalPages - 1,
    style: {
      padding: '6px 14px',
      background: '#0d1117',
      border: '1px solid #1b1f27',
      borderRadius: 6,
      color: page >= totalPages - 1 ? '#21262d' : '#c8ccd4',
      cursor: page >= totalPages - 1 ? 'default' : 'pointer',
      fontSize: 12
    }
  }, "Next ", '\u2192')));
}
const FEED_BASE = 'feeds/';
const FEEDS = [{
  name: 'STIX 2.1 Bundle',
  plat: 'OpenCTI / TAXII',
  desc: 'Indicators + Malware SDOs + Relationships. Confidence scores.',
  file: 'stix2_bundle.json'
}, {
  name: 'MISP Event',
  plat: 'MISP',
  desc: 'Attributes + SHA-256 hashes + annotation objects.',
  file: 'misp_event.json'
}, {
  name: 'MISP Warning List',
  plat: 'MISP',
  desc: 'Warning list for correlation.',
  file: 'misp_warninglist.json'
}, {
  name: 'OpenCTI CSV',
  plat: 'OpenCTI',
  desc: 'CSV with x_opencti_score, confidence.',
  file: 'opencti_import.csv'
}, {
  name: 'Splunk Lookup',
  plat: 'Splunk',
  desc: 'Lookup table with wildcard patterns + SHA-256.',
  file: 'splunk_lookup_browser_extensions.csv'
}, {
  name: 'Sigma Rules',
  plat: 'Sigma / SIEM',
  desc: '13+ rules: process, file, registry, SHA-256 hash.',
  file: 'sigma_rules_browser_extensions.yml'
}, {
  name: 'Elastic Threat Intel',
  plat: 'Elasticsearch',
  desc: 'ECS NDJSON with file hashes, TLP:CLEAR.',
  file: 'elastic_threat_intel.ndjson'
}, {
  name: 'Elastic Detection Rule',
  plat: 'Elastic Security',
  desc: 'KQL rule + MITRE T1176.',
  file: 'elastic_detection_rule.ndjson'
}, {
  name: 'Sentinel KQL',
  plat: 'Microsoft Sentinel',
  desc: '3 MDE tables with has_any.',
  file: 'sentinel_analytics_rule.kql'
}, {
  name: 'Sentinel Watchlist',
  plat: 'Microsoft Sentinel',
  desc: 'CSV for Watchlist import with SHA-256.',
  file: 'sentinel_watchlist.csv'
}, {
  name: 'YARA Rules',
  plat: 'YARA',
  desc: 'By category + CRX SHA-256 hash matching.',
  file: 'yara_browser_extensions.yar'
}, {
  name: 'Suricata Rules',
  plat: 'Suricata / Snort',
  desc: 'http.uri + flow:to_server,established.',
  file: 'suricata_browser_extensions.rules'
}, {
  name: 'OpenIOC',
  plat: 'OpenIOC / Mandiant',
  desc: 'FileItem + RegistryItem + SHA-256.',
  file: 'openioc_browser_extensions.ioc'
}, {
  name: 'JSON Feed',
  plat: 'Universal',
  desc: 'Full metadata with SHA-256 hashes.',
  file: 'extsentry_feed.json'
}, {
  name: 'Enriched CSV',
  plat: 'Universal',
  desc: 'CSV with severity, SHA-256, URLs.',
  file: 'extsentry_ioc_feed.csv'
}, {
  name: 'Plain IOC Lists',
  plat: 'Any',
  desc: 'Extension IDs + SHA-256 hashes, one per line.',
  file: 'ioc_all_extension_ids.txt',
  malFile: 'ioc_malicious_extension_ids.txt',
  sensFile: 'ioc_suspicious_extension_ids.txt'
}];
const PERM_RISK = [{
  p: '<all_urls>',
  risk: 'Critical',
  score: 10,
  mitre: 'T1185',
  desc: 'Browser Session Hijacking - access ALL website content, forms, and credentials'
}, {
  p: '*://*/*',
  risk: 'Critical',
  score: 10,
  mitre: 'T1185',
  desc: 'Browser Session Hijacking - equivalent to <all_urls>'
}, {
  p: 'webRequest',
  risk: 'Critical',
  score: 9,
  mitre: 'T1557',
  desc: 'Adversary-in-the-Middle - intercept all HTTP requests and responses'
}, {
  p: 'webRequestBlocking',
  risk: 'Critical',
  score: 10,
  mitre: 'T1557',
  desc: 'Adversary-in-the-Middle - modify/block HTTP traffic in real-time'
}, {
  p: 'cookies',
  risk: 'Critical',
  score: 9,
  mitre: 'T1539',
  desc: 'Steal Web Session Cookie - read/write cookies for any domain'
}, {
  p: 'nativeMessaging',
  risk: 'Critical',
  score: 10,
  mitre: 'T1106',
  desc: 'Native API - execute local binaries, full system access possible'
}, {
  p: 'management',
  risk: 'Critical',
  score: 9,
  mitre: 'T1562.001',
  desc: 'Disable or Modify Tools - manage/disable/remove other extensions'
}, {
  p: 'debugger',
  risk: 'Critical',
  score: 10,
  mitre: 'T1185',
  desc: 'Browser Session Hijacking - full Chrome DevTools protocol access'
}, {
  p: 'downloads',
  risk: 'High',
  score: 7,
  mitre: 'T1105',
  desc: 'Ingress Tool Transfer - download files silently to the system'
}, {
  p: 'downloads.open',
  risk: 'High',
  score: 8,
  mitre: 'T1204.002',
  desc: 'Malicious File - open downloaded files, trigger execution'
}, {
  p: 'history',
  risk: 'High',
  score: 6,
  mitre: 'T1217',
  desc: 'Browser Information Discovery - read full browsing history'
}, {
  p: 'bookmarks',
  risk: 'Medium',
  score: 4,
  mitre: 'T1217',
  desc: 'Browser Information Discovery - read/modify bookmarks'
}, {
  p: 'clipboardRead',
  risk: 'High',
  score: 7,
  mitre: 'T1115',
  desc: 'Clipboard Data - read clipboard (passwords, tokens, 2FA codes)'
}, {
  p: 'clipboardWrite',
  risk: 'Medium',
  score: 3,
  mitre: 'T1115',
  desc: 'Clipboard Data - write to clipboard'
}, {
  p: 'proxy',
  risk: 'High',
  score: 8,
  mitre: 'T1090',
  desc: 'Proxy - redirect all browser traffic through attacker proxy'
}, {
  p: 'tabs',
  risk: 'Medium',
  score: 5,
  mitre: 'T1185',
  desc: 'Browser Session Hijacking - see all open tab URLs and titles'
}, {
  p: 'activeTab',
  risk: 'Low',
  score: 2,
  mitre: 'T1185',
  desc: 'Limited to current tab on user click - low risk if alone'
}, {
  p: 'storage',
  risk: 'Low',
  score: 1,
  mitre: '',
  desc: 'Extension local storage - normal for any extension'
}, {
  p: 'alarms',
  risk: 'Low',
  score: 1,
  mitre: '',
  desc: 'Periodic timers - normal for any extension'
}, {
  p: 'notifications',
  risk: 'Low',
  score: 2,
  mitre: 'T1204',
  desc: 'User Execution - can display fake notifications for phishing'
}, {
  p: 'geolocation',
  risk: 'Medium',
  score: 5,
  mitre: 'T1614',
  desc: 'System Location Discovery - track user physical location'
}, {
  p: 'topSites',
  risk: 'Medium',
  score: 4,
  mitre: 'T1217',
  desc: 'Browser Information Discovery - read most visited sites'
}, {
  p: 'webNavigation',
  risk: 'Medium',
  score: 5,
  mitre: 'T1185',
  desc: 'Browser Session Hijacking - monitor all navigation events'
}, {
  p: 'declarativeNetRequest',
  risk: 'Medium',
  score: 5,
  mitre: 'T1557',
  desc: 'Adversary-in-the-Middle - modify network requests via rules'
}, {
  p: 'scripting',
  risk: 'High',
  score: 7,
  mitre: 'T1059',
  desc: 'Command and Scripting Interpreter - inject scripts into pages'
}, {
  p: 'identity',
  risk: 'High',
  score: 6,
  mitre: 'T1078',
  desc: 'Valid Accounts - access user OAuth tokens'
}, {
  p: 'contentSettings',
  risk: 'Medium',
  score: 4,
  mitre: 'T1562',
  desc: 'Impair Defenses - modify site permissions (camera, mic, JS)'
}, {
  p: 'privacy',
  risk: 'Medium',
  score: 4,
  mitre: 'T1562',
  desc: 'Impair Defenses - modify browser privacy settings'
}, {
  p: 'system.cpu',
  risk: 'Low',
  score: 2,
  mitre: 'T1082',
  desc: 'System Information Discovery'
}, {
  p: 'system.memory',
  risk: 'Low',
  score: 2,
  mitre: 'T1082',
  desc: 'System Information Discovery'
}, {
  p: 'system.storage',
  risk: 'Low',
  score: 2,
  mitre: 'T1082',
  desc: 'System Information Discovery'
}, {
  p: 'tts',
  risk: 'Low',
  score: 1,
  mitre: '',
  desc: 'Text-to-speech - minimal risk'
}, {
  p: 'unlimitedStorage',
  risk: 'Low',
  score: 2,
  mitre: 'T1074',
  desc: 'Data Staged - unlimited local storage for staging exfil'
}, {
  p: 'desktopCapture',
  risk: 'Critical',
  score: 9,
  mitre: 'T1113',
  desc: 'Screen Capture - capture screen/window content'
}, {
  p: 'tabCapture',
  risk: 'Critical',
  score: 9,
  mitre: 'T1113',
  desc: 'Screen Capture - capture tab audio/video stream'
}, {
  p: 'pageCapture',
  risk: 'High',
  score: 7,
  mitre: 'T1005',
  desc: 'Data from Local System - save complete pages as MHTML'
}];
function buildContributeUrl(extId) {
  const fields = ['browser_extension (name): ', 'browser_extension_id: ' + (extId || ''), 'metadata_category (e.g. malware, compromised, scam, PUP, PROXY/VPN): ', 'metadata_type (e.g. malicious, deceptive, offensive, phishing, greyware): ', 'metadata_link (reference URL): ', 'metadata_comment: ', 'crx_file_sha256 (if available): '];
  return 'https://github.com/mthcht/awesome-lists/issues/new?' + 'labels=new-extension-ioc' + '&title=' + encodeURIComponent('[Browser Extension IOC] ' + (extId || 'New submission')) + '&body=' + encodeURIComponent(fields.join('\n'));
}
const CONTRIBUTE_URL = buildContributeUrl('');
function CopyBlock({
  title,
  code
}) {
  const [copied, setCopied] = useState(false);
  const copy = () => {
    navigator.clipboard && navigator.clipboard.writeText(code);
    setCopied(true);
    setTimeout(() => setCopied(false), 2000);
  };
  return /*#__PURE__*/React.createElement("div", {
    style: {
      marginBottom: 16
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      justifyContent: 'space-between',
      alignItems: 'center',
      marginBottom: 6
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 12,
      fontWeight: 600,
      color: '#e6edf3'
    }
  }, title), /*#__PURE__*/React.createElement("button", {
    onClick: copy,
    style: {
      padding: '4px 12px',
      background: '#161b22',
      border: '1px solid #30363d',
      borderRadius: 6,
      color: copied ? '#3fb950' : '#8b949e',
      cursor: 'pointer',
      fontSize: 11,
      fontFamily: mono
    }
  }, copied ? 'Copied' : 'Copy')), /*#__PURE__*/React.createElement(Code, null, code));
}
function ContributeBtn() {
  return /*#__PURE__*/React.createElement("a", {
    href: CONTRIBUTE_URL,
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      display: 'inline-flex',
      alignItems: 'center',
      gap: 6,
      padding: '6px 14px',
      background: '#3fb95015',
      border: '1px solid #3fb95033',
      borderRadius: 6,
      color: '#3fb950',
      fontSize: 11,
      textDecoration: 'none',
      fontFamily: mono,
      fontWeight: 600
    }
  }, "+ Contribute extension");
}
function ExtensionChecker() {
  const [subTab, setSubTab] = useState('check');
  const [extId, setExtId] = useState('');
  const [manifest, setManifest] = useState('');
  const [result, setResult] = useState(null);
  const [permResult, setPermResult] = useState(null);
  const [crxError, setCrxError] = useState('');
  const [invScript, setInvScript] = useState('python');
  const ALL = [...DATA_MAL, ...DATA_SENS];
  const checkId = useCallback(id => {
    const clean = (id || '').trim().replace(/\*/g, '');
    if (!clean) return;
    const match = ALL.find(r => r.id === clean);
    if (match) {
      setResult({
        found: true,
        feed: DATA_MAL.includes(match) ? 'malicious' : 'sensitive',
        ...match
      });
    } else {
      setResult({
        found: false,
        id: clean
      });
    }
  }, []);
  const analyzePermissions = useCallback(json => {
    try {
      const m = JSON.parse(json);
      const perms = [...(m.permissions || []), ...(m.optional_permissions || [])];
      const hosts = [...(m.host_permissions || [])];
      const allPerms = [...perms, ...hosts];
      const cs = (m.content_scripts || []).flatMap(s => s.matches || []);
      const bg = m.background || {};
      const matched = [];
      let total = 0;
      allPerms.forEach(p => {
        const info = PERM_RISK.find(r => p.includes(r.p) || r.p.includes(p));
        if (info) {
          matched.push({
            ...info,
            granted: p
          });
          total += info.score;
        } else {
          matched.push({
            p,
            granted: p,
            risk: 'Unknown',
            score: 0,
            mitre: '',
            desc: 'Not in risk database'
          });
        }
      });
      const level = total >= 20 ? 'CRITICAL' : total >= 12 ? 'HIGH' : total >= 6 ? 'MEDIUM' : 'LOW';
      const color = {
        CRITICAL: '#f85149',
        HIGH: '#db6d28',
        MEDIUM: '#d29922',
        LOW: '#3fb950'
      }[level];
      setPermResult({
        name: m.name || 'Unknown',
        version: m.version || '?',
        manifestVersion: m.manifest_version || 2,
        description: m.description || '',
        perms: matched.sort((a, b) => b.score - a.score),
        hosts,
        contentScripts: cs,
        background: bg,
        total,
        level,
        color
      });
    } catch (e) {
      setPermResult({
        error: 'Invalid JSON: ' + e.message
      });
    }
  }, []);
  const handleCrx = useCallback(async file => {
    setCrxError('');
    setPermResult(null);
    try {
      const buf = await file.arrayBuffer();
      const bytes = new Uint8Array(buf);
      let zipStart = 0;
      for (let i = 0; i < Math.min(bytes.length, 1000); i++) {
        if (bytes[i] === 0x50 && bytes[i + 1] === 0x4B && bytes[i + 2] === 0x03 && bytes[i + 3] === 0x04) {
          zipStart = i;
          break;
        }
      }
      const zipData = new Uint8Array(bytes.slice(zipStart));
      let pos = zipData.length - 22;
      while (pos > 0 && !(zipData[pos] === 0x50 && zipData[pos + 1] === 0x4B && zipData[pos + 2] === 0x05 && zipData[pos + 3] === 0x06)) pos--;
      if (pos <= 0) {
        setCrxError('Could not find ZIP end-of-central-directory');
        return;
      }
      const cdOffset = zipData[pos + 16] | zipData[pos + 17] << 8 | zipData[pos + 18] << 16 | zipData[pos + 19] << 24;
      const cdCount = zipData[pos + 10] | zipData[pos + 11] << 8;
      let cdPos = cdOffset;
      const entries = [];
      for (let i = 0; i < cdCount; i++) {
        if (zipData[cdPos] !== 0x50 || zipData[cdPos + 1] !== 0x4B || zipData[cdPos + 2] !== 0x01 || zipData[cdPos + 3] !== 0x02) break;
        const nameLen = zipData[cdPos + 28] | zipData[cdPos + 29] << 8;
        const extraLen = zipData[cdPos + 30] | zipData[cdPos + 31] << 8;
        const commentLen = zipData[cdPos + 32] | zipData[cdPos + 33] << 8;
        const localOff = zipData[cdPos + 42] | zipData[cdPos + 43] << 8 | zipData[cdPos + 44] << 16 | zipData[cdPos + 45] << 24;
        const name = new TextDecoder().decode(zipData.slice(cdPos + 46, cdPos + 46 + nameLen));
        entries.push({
          name,
          localOff
        });
        cdPos += 46 + nameLen + extraLen + commentLen;
      }
      const mEntry = entries.find(e => e.name === 'manifest.json');
      if (!mEntry) {
        setCrxError('No manifest.json found in CRX/XPI file');
        return;
      }
      const lh = mEntry.localOff;
      const lhNameLen = zipData[lh + 26] | zipData[lh + 27] << 8;
      const lhExtraLen = zipData[lh + 28] | zipData[lh + 29] << 8;
      const compSize = zipData[lh + 18] | zipData[lh + 19] << 8 | zipData[lh + 20] << 16 | zipData[lh + 21] << 24;
      const compMethod = zipData[lh + 8] | zipData[lh + 9] << 8;
      const dataStart = lh + 30 + lhNameLen + lhExtraLen;
      const compData = zipData.slice(dataStart, dataStart + compSize);
      let text;
      if (compMethod === 0) {
        text = new TextDecoder().decode(compData);
      } else {
        const ds = new DecompressionStream('deflate-raw');
        const writer = ds.writable.getWriter();
        writer.write(compData);
        writer.close();
        const rdr = ds.readable.getReader();
        const chunks = [];
        while (true) {
          const {
            done,
            value
          } = await rdr.read();
          if (done) break;
          chunks.push(value);
        }
        const totalLen = chunks.reduce((a, c) => a + c.length, 0);
        const out = new Uint8Array(totalLen);
        let off = 0;
        chunks.forEach(c => {
          out.set(c, off);
          off += c.length;
        });
        text = new TextDecoder().decode(out);
      }
      setManifest(text);
      analyzePermissions(text);
    } catch (e) {
      setCrxError('Error reading file: ' + e.message);
    }
  }, [analyzePermissions]);
  const subs = [{
    id: 'check',
    l: 'Check Extension ID'
  }, {
    id: 'analyze',
    l: 'Analyze Permissions'
  }, {
    id: 'inventory',
    l: 'Endpoint Inventory'
  }];
  return /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 15,
      fontWeight: 700,
      color: '#e6edf3',
      marginBottom: 6
    }
  }, "Extension Checker"), /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12.5,
      color: '#6e7681',
      marginBottom: 16
    }
  }, "Check extension IDs against ExtSentry feeds, analyze permissions with MITRE ATT&CK mapping, upload CRX/XPI files for static analysis, or run inventory scripts on endpoints."), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 4,
      marginBottom: 20
    }
  }, subs.map(s => /*#__PURE__*/React.createElement("button", {
    key: s.id,
    onClick: () => setSubTab(s.id),
    style: {
      background: subTab === s.id ? '#161b22' : 'transparent',
      border: subTab === s.id ? '1px solid #58a6ff33' : '1px solid #1b1f27',
      color: subTab === s.id ? '#58a6ff' : '#6e7681',
      padding: '7px 14px',
      borderRadius: 6,
      cursor: 'pointer',
      fontSize: 12,
      fontWeight: subTab === s.id ? 700 : 400
    }
  }, s.l))), subTab === 'check' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement(Section, {
    title: "Check Extension ID against ExtSentry feeds"
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 8,
      marginBottom: 12
    }
  }, /*#__PURE__*/React.createElement("input", {
    value: extId,
    onChange: e => setExtId(e.target.value),
    onKeyDown: e => e.key === 'Enter' && checkId(extId),
    placeholder: "Paste extension ID (e.g. ajfanjhcdgaohcbphpaceglgpgaaohod)",
    style: {
      flex: 1,
      padding: '10px 14px',
      background: '#161b22',
      border: '1px solid #1b1f27',
      borderRadius: 6,
      color: '#c8ccd4',
      fontSize: 13,
      fontFamily: mono
    }
  }), /*#__PURE__*/React.createElement("button", {
    onClick: () => checkId(extId),
    style: {
      padding: '10px 20px',
      background: '#58a6ff20',
      border: '1px solid #58a6ff33',
      borderRadius: 6,
      color: '#58a6ff',
      cursor: 'pointer',
      fontSize: 12,
      fontWeight: 600
    }
  }, "Check")), result && result.found && /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      borderLeft: '3px solid ' + (result.feed === 'malicious' ? '#f85149' : '#d29922')
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 10,
      marginBottom: 8
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      ...S.tag(result.feed === 'malicious' ? '#f85149' : '#d29922')
    }
  }, result.feed === 'malicious' ? 'MALICIOUS' : 'SENSITIVE'), /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 14,
      fontWeight: 700,
      color: '#e6edf3'
    }
  }, result.name || result.id)), /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Field', 'Value'],
    rows: [['Extension ID', result.id], ['Category', result.category], ['Severity', SV[result.severity] || 'MEDIUM'], ['Description', result.comment || '-'], ...(result.sha256 ? [['CRX SHA-256', result.sha256]] : [])]
  }), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 8,
      marginTop: 10
    }
  }, /*#__PURE__*/React.createElement("a", {
    href: 'https://chromewebstore.google.com/detail/' + result.id,
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff',
      fontSize: 12,
      textDecoration: 'none'
    }
  }, "Chrome Web Store"), result.link && result.link !== 'fixme' && result.link !== 'N/A' && /*#__PURE__*/React.createElement("a", {
    href: result.link,
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff',
      fontSize: 12,
      textDecoration: 'none'
    }
  }, "Reference"))), result && !result.found && /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      borderLeft: '3px solid #484f58'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 10,
      marginBottom: 8
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      ...S.tag('#6e7681')
    }
  }, "NOT IN FEEDS"), /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 13,
      color: '#8b949e'
    }
  }, result.id, " was not found in the ExtSentry dataset (", ALL.length, " extensions)")), /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12,
      color: '#6e7681',
      lineHeight: 1.7,
      marginBottom: 12
    }
  }, "This extension is not currently tracked. It may be legitimate, too new, or not yet analyzed. Verify it manually using the links below and consider analyzing its permissions in the ", /*#__PURE__*/React.createElement("strong", {
    style: {
      color: '#8b949e'
    }
  }, "Analyze Permissions"), " tab."), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      flexWrap: 'wrap',
      gap: 8,
      marginBottom: 14
    }
  }, /*#__PURE__*/React.createElement("a", {
    href: 'https://chromewebstore.google.com/detail/' + result.id,
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      display: 'inline-flex',
      padding: '6px 12px',
      background: '#161b22',
      border: '1px solid #30363d',
      borderRadius: 6,
      color: '#58a6ff',
      fontSize: 11,
      textDecoration: 'none',
      fontFamily: mono
    }
  }, "Chrome Web Store"), /*#__PURE__*/React.createElement("a", {
    href: 'https://microsoftedge.microsoft.com/addons/search/' + result.id,
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      display: 'inline-flex',
      padding: '6px 12px',
      background: '#161b22',
      border: '1px solid #30363d',
      borderRadius: 6,
      color: '#58a6ff',
      fontSize: 11,
      textDecoration: 'none',
      fontFamily: mono
    }
  }, "Edge Add-ons"), /*#__PURE__*/React.createElement("a", {
    href: 'https://www.virustotal.com/gui/search/' + result.id,
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      display: 'inline-flex',
      padding: '6px 12px',
      background: '#161b22',
      border: '1px solid #30363d',
      borderRadius: 6,
      color: '#58a6ff',
      fontSize: 11,
      textDecoration: 'none',
      fontFamily: mono
    }
  }, "VirusTotal")), /*#__PURE__*/React.createElement(Callout, {
    type: "info"
  }, /*#__PURE__*/React.createElement("strong", null, "What to check manually:"), " review the extension listing for suspicious developer info, recent ownership changes, excessive permissions relative to its stated purpose, low install count with high ratings (fake reviews), and recently added permissions. If the extension is malicious, please report it."), /*#__PURE__*/React.createElement("div", {
    style: {
      marginTop: 12
    }
  }, /*#__PURE__*/React.createElement("a", {
    href: buildContributeUrl(result.id),
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      display: 'inline-flex',
      alignItems: 'center',
      gap: 6,
      padding: '6px 14px',
      background: '#3fb95015',
      border: '1px solid #3fb95033',
      borderRadius: 6,
      color: '#3fb950',
      fontSize: 11,
      textDecoration: 'none',
      fontFamily: mono,
      fontWeight: 600
    }
  }, "+ Report this extension as malicious"))))), subTab === 'analyze' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement(Section, {
    title: "Analyze manifest.json permissions"
  }, /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12,
      color: '#6e7681',
      marginBottom: 10
    }
  }, "Paste a manifest.json or upload a .crx/.xpi file for a risk score with MITRE ATT&CK technique mapping per permission."), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 8,
      marginBottom: 10,
      alignItems: 'center'
    }
  }, /*#__PURE__*/React.createElement("label", {
    style: {
      padding: '8px 16px',
      background: '#161b22',
      border: '1px solid #1b1f27',
      borderRadius: 6,
      color: '#58a6ff',
      cursor: 'pointer',
      fontSize: 12,
      fontWeight: 600
    }
  }, "Upload CRX/XPI", /*#__PURE__*/React.createElement("input", {
    type: "file",
    accept: ".crx,.xpi,.zip",
    style: {
      display: 'none'
    },
    onChange: e => {
      if (e.target.files[0]) handleCrx(e.target.files[0]);
    }
  })), /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 11,
      color: '#484f58'
    }
  }, "or paste manifest.json below")), crxError && /*#__PURE__*/React.createElement(Callout, {
    type: "warn"
  }, crxError), /*#__PURE__*/React.createElement("textarea", {
    value: manifest,
    onChange: e => setManifest(e.target.value),
    placeholder: "{\"manifest_version\": 3, \"name\": \"...\", \"permissions\": [...], ...}",
    style: {
      width: '100%',
      height: 120,
      padding: '12px 14px',
      background: '#161b22',
      border: '1px solid #1b1f27',
      borderRadius: 6,
      color: '#c8ccd4',
      fontSize: 12,
      fontFamily: mono,
      resize: 'vertical',
      marginBottom: 8
    }
  }), /*#__PURE__*/React.createElement("button", {
    onClick: () => analyzePermissions(manifest),
    disabled: !manifest.trim(),
    style: {
      padding: '8px 20px',
      background: manifest.trim() ? '#58a6ff20' : '#161b22',
      border: '1px solid ' + (manifest.trim() ? '#58a6ff33' : '#1b1f27'),
      borderRadius: 6,
      color: manifest.trim() ? '#58a6ff' : '#484f58',
      cursor: manifest.trim() ? 'pointer' : 'default',
      fontSize: 12,
      fontWeight: 600
    }
  }, "Analyze Permissions"), permResult && permResult.error && /*#__PURE__*/React.createElement(Callout, {
    type: "warn"
  }, permResult.error), permResult && !permResult.error && /*#__PURE__*/React.createElement("div", {
    style: {
      marginTop: 16
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      borderLeft: '3px solid ' + permResult.color,
      marginBottom: 16
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 10,
      marginBottom: 6,
      flexWrap: 'wrap'
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      ...S.tag(permResult.color)
    }
  }, permResult.level), /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 14,
      fontWeight: 700,
      color: '#e6edf3'
    }
  }, permResult.name, " v", permResult.version), /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 11,
      color: '#484f58'
    }
  }, "Manifest V", permResult.manifestVersion), /*#__PURE__*/React.createElement("span", {
    style: {
      marginLeft: 'auto',
      fontSize: 18,
      fontWeight: 800,
      color: permResult.color,
      fontFamily: mono
    }
  }, permResult.total), /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 11,
      color: '#484f58'
    }
  }, "risk score")), permResult.description && /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12,
      color: '#6e7681',
      marginBottom: 8
    }
  }, permResult.description), permResult.contentScripts.length > 0 && /*#__PURE__*/React.createElement("div", {
    style: {
      marginTop: 8
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 11,
      color: '#58a6ff',
      fontWeight: 600
    }
  }, "Content scripts target: "), /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 11,
      color: '#8b949e',
      fontFamily: mono
    }
  }, permResult.contentScripts.join(', ')))), /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Permission', 'Risk', 'Score', 'MITRE ATT&CK', 'Description'],
    rows: permResult.perms.map(p => [p.granted || p.p, p.risk, String(p.score) + '/10', p.mitre || '-', p.desc])
  }), /*#__PURE__*/React.createElement(Callout, {
    type: "info"
  }, "Risk score is additive. Critical: 20+, High: 12-19, Medium: 6-11, Low: 0-5. Extensions combining ", /*#__PURE__*/React.createElement("strong", null, "webRequest + cookies + <all_urls>"), " should be treated as high-risk regardless of stated purpose.")))), subTab === 'inventory' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement(Section, {
    title: "Endpoint Extension Inventory"
  }, /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12.5,
      color: '#8b949e',
      lineHeight: 1.8,
      marginBottom: 12
    }
  }, "Run these scripts on endpoints to collect ", /*#__PURE__*/React.createElement("strong", null, "all installed browser extensions"), " (Chrome, Edge, Brave, Firefox) across all profiles with full details. The scripts then auto-download the ExtSentry feed from GitHub and ", /*#__PURE__*/React.createElement("strong", null, "flag any known malicious or sensitive extensions"), " directly in the output. Deploy via your RMM/MDM (Intune, SCCM, Jamf, Ansible) or EDR live response for fleet-wide collection."), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 4,
      marginBottom: 16
    }
  }, [{
    id: 'python',
    l: 'Python 3 (Recommended)'
  }, {
    id: 'ps',
    l: 'PowerShell (Windows)'
  }, {
    id: 'bash',
    l: 'Bash (Linux/macOS)'
  }].map(s => /*#__PURE__*/React.createElement("button", {
    key: s.id,
    onClick: () => setInvScript(s.id),
    style: {
      background: invScript === s.id ? '#161b22' : 'transparent',
      border: invScript === s.id ? '1px solid #58a6ff33' : '1px solid #1b1f27',
      color: invScript === s.id ? '#58a6ff' : '#6e7681',
      padding: '6px 12px',
      borderRadius: 6,
      cursor: 'pointer',
      fontSize: 11,
      fontWeight: invScript === s.id ? 700 : 400
    }
  }, s.l)))), invScript === 'python' && /*#__PURE__*/React.createElement(CopyBlock, {
    title: "Python 3 - Cross-Platform (Windows / macOS / Linux)",
    code: INVENTORY_PY
  }), invScript === 'ps' && /*#__PURE__*/React.createElement(CopyBlock, {
    title: "PowerShell - Windows",
    code: INVENTORY_PS
  }), invScript === 'bash' && /*#__PURE__*/React.createElement(CopyBlock, {
    title: "Bash - Linux / macOS",
    code: INVENTORY_BASH
  }), /*#__PURE__*/React.createElement(Section, {
    title: "Output"
  }, /*#__PURE__*/React.createElement(MiniTable, {
    headers: ['Column', 'Description'],
    rows: [['Computer', 'Hostname'], ['User', 'Username'], ['Browser', 'Chrome / Edge / Brave / Firefox'], ['Profile', 'Browser profile name'], ['ExtensionID', '32-char Chromium ID or Firefox GUID'], ['Name', 'Display name from manifest.json'], ['Version', 'Installed version'], ['Permissions', 'All declared permissions'], ['InstallDate', 'First install timestamp (Chromium: Secure Preferences install_time or dir creation time, Firefox: installDate)'], ['UpdatedDate', 'Last update timestamp (Chromium: last_update_time or manifest.json mtime, Firefox: updateDate)'], ['Source', 'WebStore / External / Policy / Sideloaded / AMO / System/Built-in / Unknown'], ['IsSystem', 'Yes/No - flags Firefox built-in addons (formautofill, pictureinpicture, etc.)'], ['WebStoreURL', 'Chrome Web Store URL or Firefox sourceURI (AMO download URL)'], ['Source', 'WebStore / External / Policy / Sideloaded / Unknown'], ['EXTSENTRY_MATCH', 'MALICIOUS / SENSITIVE / clean - auto-detected against ExtSentry feed'], ['EXTSENTRY_CATEGORY', 'Category from ExtSentry (malware, compromised, scam, PUP, etc.)']]
  }), /*#__PURE__*/React.createElement(Callout, {
    type: "tip"
  }, "For fleet-wide analysis: collect CSVs from all endpoints, merge them, then filter on ", /*#__PURE__*/React.createElement("code", {
    style: {
      color: '#a5d6ff'
    }
  }, "EXTSENTRY_MATCH"), " column to instantly identify threats. Or import into your SIEM as a lookup table for ongoing correlation."))));
}
const INVENTORY_PY = ["#!/usr/bin/env python3", "\"\"\"ExtSentry - Browser Extension Inventory & Threat Scanner v3", "Scans ALL user profiles on the system (not just current user).", "Run as Administrator/root for full visibility across all accounts.\"\"\"", "import json, csv, os, platform, socket, sys, urllib.request", "from pathlib import Path", "from datetime import datetime, timedelta", "", "EXTSENTRY_URL = \"https://raw.githubusercontent.com/mthcht/awesome-lists/refs/heads/main/Lists/Browser%20Extensions/browser_extensions_list.csv\"", "", "def load_extsentry():", "    iocs = {}", "    try:", "        print(\"[*] Downloading ExtSentry feed...\")", "        req = urllib.request.Request(EXTSENTRY_URL, headers={\"User-Agent\": \"ExtSentry-Scanner/3.0\"})", "        with urllib.request.urlopen(req, timeout=15) as resp:", "            import io", "            for row in csv.DictReader(io.StringIO(resp.read().decode(\"utf-8\"))):", "                eid = row.get(\"browser_extension_id\", \"\").strip()", "                if eid:", "                    cat = row.get(\"metadata_category\", \"\").strip()", "                    typ = row.get(\"metadata_type\", \"\").strip()", "                    feed = \"SENSITIVE\" if cat in (\"cryptocurrency\", \"password manager\") or typ == \"sensitive\" else \"MALICIOUS\"", "                    iocs[eid] = {\"feed\": feed, \"category\": cat, \"comment\": row.get(\"metadata_comment\", \"\").strip()}", "            print(f\"[+] Loaded {len(iocs)} ExtSentry IOCs\")", "    except Exception as e:", "        print(f\"[!] Could not download feed: {e}\")", "    return iocs", "", "def chrome_time(t):", "    try:", "        if not t or str(t) == \"0\": return \"\"", "        dt = datetime(1601, 1, 1) + timedelta(microseconds=int(t))", "        if dt.year < 2000 or dt.year > 2100: return \"\"", "        return dt.strftime(\"%Y-%m-%d %H:%M:%S\")", "    except: return \"\"", "", "def resolve_msg_name(name, ext_path):", "    if not name or not name.startswith(\"__MSG_\") or not name.endswith(\"__\"): return name", "    key = name[6:-2]", "    for locale in [\"en\", \"en_US\", \"en_GB\", \"default\"]:", "        msg_file = ext_path / \"_locales\" / locale / \"messages.json\"", "        if msg_file.exists():", "            try:", "                msgs = json.loads(msg_file.read_text(encoding=\"utf-8\", errors=\"ignore\"))", "                for k, v in msgs.items():", "                    if k.lower() == key.lower(): return v.get(\"message\", name)", "            except: pass", "    return name", "", "def get_install_info(prefs_path, ext_id):", "    install_time, update_time, source = \"\", \"\", \"Unknown\"", "    for p in [prefs_path, prefs_path.parent / \"Preferences\"]:", "        if not p.exists(): continue", "        try:", "            data = json.loads(p.read_text(encoding=\"utf-8\", errors=\"ignore\"))", "            info = data.get(\"extensions\", {}).get(\"settings\", {}).get(ext_id, {})", "            if not info: continue", "            if not install_time: install_time = chrome_time(info.get(\"install_time\", \"0\"))", "            if not update_time: update_time = chrome_time(info.get(\"last_update_time\", \"0\"))", "            loc = info.get(\"location\", -1)", "            loc_map = {1:\"WebStore\",4:\"ExternalPref\",5:\"ExternalRegistry\",6:\"Unpacked\",7:\"Component\",8:\"ExternalPrefDownload\",9:\"PolicyDownload\",10:\"CommandLine\",11:\"Policy\",12:\"ExternalComponent\"}", "            if loc in loc_map: source = loc_map[loc]", "            if install_time: break", "        except: pass", "    return install_time, update_time, source", "", "def get_all_user_homes():", "    s = platform.system()", "    homes = {}", "    if s == \"Windows\":", "        users_dir = Path(os.environ.get(\"SystemDrive\", \"C:\") + \"/Users\")", "        skip = {\"Public\", \"Default\", \"Default User\", \"All Users\"}", "        if users_dir.exists():", "            for d in sorted(users_dir.iterdir()):", "                if d.is_dir() and d.name not in skip and not d.name.startswith(\".\"): homes[d.name] = d", "    elif s == \"Darwin\":", "        for d in sorted(Path(\"/Users\").iterdir()):", "            if d.is_dir() and d.name not in (\"Shared\", \".localized\") and not d.name.startswith(\".\"): homes[d.name] = d", "    else:", "        for d in sorted(Path(\"/home\").iterdir()):", "            if d.is_dir() and not d.name.startswith(\".\"): homes[d.name] = d", "        if Path(\"/root\").exists(): homes[\"root\"] = Path(\"/root\")", "    return homes", "", "def browser_paths(home, s):", "    if s == \"Windows\":", "        la = home / \"AppData\" / \"Local\"; ad = home / \"AppData\" / \"Roaming\"", "        return {\"Chrome\": la/\"Google\"/\"Chrome\"/\"User Data\", \"Edge\": la/\"Microsoft\"/\"Edge\"/\"User Data\", \"Brave\": la/\"BraveSoftware\"/\"Brave-Browser\"/\"User Data\", \"Firefox\": ad/\"Mozilla\"/\"Firefox\"/\"Profiles\"}", "    elif s == \"Darwin\":", "        lib = home / \"Library\" / \"Application Support\"", "        return {\"Chrome\": lib/\"Google\"/\"Chrome\", \"Edge\": lib/\"Microsoft Edge\", \"Brave\": lib/\"BraveSoftware\"/\"Brave-Browser\", \"Firefox\": lib/\"Firefox\"/\"Profiles\"}", "    else:", "        cfg = home / \".config\"", "        return {\"Chrome\": cfg/\"google-chrome\", \"Edge\": cfg/\"microsoft-edge\", \"Brave\": cfg/\"BraveSoftware\"/\"Brave-Browser\", \"Firefox\": home/\".mozilla\"/\"firefox\"}", "", "def scan_chromium(base, browser_name, username, iocs):", "    results = []", "    if not base.exists(): return results", "    for pd in sorted(base.iterdir()):", "        if not pd.is_dir() or not (pd.name.startswith(\"Default\") or pd.name.startswith(\"Profile\")): continue", "        ext_dir = pd / \"Extensions\"; sec_prefs = pd / \"Secure Preferences\"", "        if not ext_dir.exists(): continue", "        for edir in sorted(ext_dir.iterdir()):", "            if not edir.is_dir(): continue", "            ext_id = edir.name", "            if len(ext_id) != 32 or not ext_id.isalpha(): continue", "            versions = sorted([v for v in edir.iterdir() if v.is_dir()], reverse=True)", "            if not versions: continue", "            vp = versions[0]; mf = vp / \"manifest.json\"", "            name, version, perms, desc = \"\", \"\", \"\", \"\"", "            if mf.exists():", "                try:", "                    m = json.loads(mf.read_text(encoding=\"utf-8\", errors=\"ignore\"))", "                    name = resolve_msg_name(m.get(\"name\", \"\"), vp)", "                    version = m.get(\"version\", \"\")", "                    desc = resolve_msg_name(m.get(\"description\", \"\"), vp)", "                    all_p = (m.get(\"permissions\") or []) + (m.get(\"host_permissions\") or []) + (m.get(\"optional_permissions\") or [])", "                    perms = \"; \".join(str(p) for p in all_p if p)", "                except: pass", "            it, ut, source = \"\", \"\", \"Unknown\"", "            if sec_prefs.exists(): it, ut, source = get_install_info(sec_prefs, ext_id)", "            if not ut and mf.exists():", "                try: ut = datetime.fromtimestamp(mf.stat().st_mtime).strftime(\"%Y-%m-%d %H:%M:%S\")", "                except: pass", "            if not it:", "                try: it = datetime.fromtimestamp(vp.stat().st_ctime).strftime(\"%Y-%m-%d %H:%M:%S\")", "                except: pass", "            ioc = iocs.get(ext_id, {})", "            results.append({\"Computer\": socket.gethostname(), \"User\": username, \"Browser\": browser_name, \"Profile\": pd.name, \"ExtensionID\": ext_id, \"Name\": name, \"Version\": version, \"Permissions\": perms, \"Description\": desc, \"InstallDate\": it, \"UpdatedDate\": ut, \"Source\": source, \"IsSystem\": \"No\", \"WebStoreURL\": f\"https://chromewebstore.google.com/detail/{ext_id}\", \"EXTSENTRY_MATCH\": ioc.get(\"feed\", \"clean\"), \"EXTSENTRY_CATEGORY\": ioc.get(\"category\", \"\"), \"EXTSENTRY_COMMENT\": ioc.get(\"comment\", \"\")})", "    return results", "", "def scan_firefox(base, username, iocs):", "    results = []", "    if not base.exists(): return results", "    for pd in sorted(base.iterdir()):", "        if not pd.is_dir(): continue", "        ej = pd / \"extensions.json\"", "        if not ej.exists(): continue", "        try:", "            for addon in json.loads(ej.read_text(encoding=\"utf-8\", errors=\"ignore\")).get(\"addons\", []):", "                if addon.get(\"type\") != \"extension\": continue", "                aid = addon.get(\"id\", \"\")", "                is_sys = addon.get(\"isSystem\", False) or addon.get(\"isBuiltin\", False)", "                location = addon.get(\"location\", \"\")", "                if location.startswith(\"app-\") or aid.endswith(\"@mozilla.org\") or aid.endswith(\"@mozilla.com\"): is_sys = True", "                loc = addon.get(\"defaultLocale\") or {}; up = addon.get(\"userPermissions\") or {}", "                idate = udate = \"\"", "                if addon.get(\"installDate\"):", "                    try: idate = datetime.fromtimestamp(int(addon[\"installDate\"])/1000).strftime(\"%Y-%m-%d %H:%M:%S\")", "                    except: pass", "                if addon.get(\"updateDate\"):", "                    try: udate = datetime.fromtimestamp(int(addon[\"updateDate\"])/1000).strftime(\"%Y-%m-%d %H:%M:%S\")", "                    except: pass", "                src = addon.get(\"sourceURI\", \"\")", "                source = \"AMO\" if \"addons.mozilla.org\" in src else \"Profile\" if location == \"app-profile\" else \"System/Built-in\" if is_sys else \"Sideloaded\" if src else \"Unknown\"", "                ioc = iocs.get(aid, {})", "                results.append({\"Computer\": socket.gethostname(), \"User\": username, \"Browser\": \"Firefox\", \"Profile\": pd.name, \"ExtensionID\": aid, \"Name\": addon.get(\"name\") or loc.get(\"name\", \"\"), \"Version\": addon.get(\"version\", \"\"), \"Permissions\": \"; \".join(up.get(\"permissions\", [])), \"Description\": addon.get(\"description\") or loc.get(\"description\", \"\"), \"InstallDate\": idate, \"UpdatedDate\": udate, \"Source\": source, \"IsSystem\": \"Yes\" if is_sys else \"No\", \"WebStoreURL\": src or \"\", \"EXTSENTRY_MATCH\": ioc.get(\"feed\", \"clean\"), \"EXTSENTRY_CATEGORY\": ioc.get(\"category\", \"\"), \"EXTSENTRY_COMMENT\": ioc.get(\"comment\", \"\")})", "        except: pass", "    return results", "", "def main():", "    print(\"=\" * 60)", "    print(\"ExtSentry - Extension Inventory & Threat Scanner v3\")", "    print(\"  Scanning ALL user profiles on this system\")", "    print(\"=\" * 60)", "    iocs = load_extsentry()", "    s = platform.system()", "    homes = get_all_user_homes()", "    print(f\"[*] Found {len(homes)} user(s): {', '.join(homes.keys())}\")", "    all_results = []", "    for username, home in homes.items():", "        cnt = 0", "        for bname, bpath in browser_paths(home, s).items():", "            r = scan_firefox(bpath, username, iocs) if bname == \"Firefox\" else scan_chromium(bpath, bname, username, iocs)", "            all_results.extend(r); cnt += len(r)", "        if cnt: print(f\"    {username}: {cnt} extensions\")", "    out = Path(os.environ.get(\"TEMP\", os.environ.get(\"TMPDIR\", \"/tmp\"))) / \"extension_inventory.csv\"", "    fields = [\"Computer\",\"User\",\"Browser\",\"Profile\",\"ExtensionID\",\"Name\",\"Version\",\"Permissions\",\"Description\",\"InstallDate\",\"UpdatedDate\",\"Source\",\"IsSystem\",\"WebStoreURL\",\"EXTSENTRY_MATCH\",\"EXTSENTRY_CATEGORY\",\"EXTSENTRY_COMMENT\"]", "    with open(out, \"w\", newline=\"\", encoding=\"utf-8\") as f:", "        csv.DictWriter(f, fieldnames=fields).writeheader(); csv.DictWriter(f, fieldnames=fields).writerows(all_results)", "    ue = [r for r in all_results if r[\"IsSystem\"]==\"No\"]; se = [r for r in all_results if r[\"IsSystem\"]==\"Yes\"]", "    mal = sum(1 for r in all_results if r[\"EXTSENTRY_MATCH\"]==\"MALICIOUS\")", "    print(f\"\\n[+] {len(homes)} user(s) scanned: {len(ue)} user ext + {len(se)} system/built-in\")", "    if mal:", "        print(f\"[!] MALICIOUS: {mal}\")", "        for r in all_results:", "            if r[\"EXTSENTRY_MATCH\"]==\"MALICIOUS\": print(f\"    >> [{r['User']}] {r['Browser']}/{r['Profile']}: {r['ExtensionID']} - {r['Name']} [{r['EXTSENTRY_CATEGORY']}]\")", "    print(f\"[+] Report: {out}\")", "", "if __name__ == \"__main__\": main()"].join('\n');
const INVENTORY_PS = ["# ExtSentry - Extension Inventory & Threat Scanner v3 (PowerShell)", "# Scans ALL user profiles. Run as Administrator for full visibility.", "", "$outputFile = \"$env:TEMP\\extension_inventory.csv\"", "$extsentryUrl = \"https://raw.githubusercontent.com/mthcht/awesome-lists/refs/heads/main/Lists/Browser%20Extensions/browser_extensions_list.csv\"", "", "$iocs = @{}", "try {", "    Write-Host \"[*] Downloading ExtSentry feed...\" -ForegroundColor Cyan", "    $feed = Invoke-WebRequest -Uri $extsentryUrl -UseBasicParsing -TimeoutSec 15", "    foreach ($row in ($feed.Content | ConvertFrom-Csv)) {", "        $eid = $row.browser_extension_id.Trim()", "        if ($eid) {", "            $cat = $row.metadata_category.Trim(); $typ = $row.metadata_type.Trim()", "            $ft = if ($cat -in @(\"cryptocurrency\",\"password manager\") -or $typ -eq \"sensitive\") {\"SENSITIVE\"} else {\"MALICIOUS\"}", "            $iocs[$eid] = @{feed=$ft; category=$cat; comment=$row.metadata_comment.Trim()}", "        }", "    }", "    Write-Host \"[+] Loaded $($iocs.Count) ExtSentry IOCs\" -ForegroundColor Green", "} catch { Write-Host \"[!] Feed download failed: $_\" -ForegroundColor Yellow }", "", "function Resolve-MsgName($name, $extPath) {", "    if ($name -is [array]) { $name = $name[0] }", "    if (!$name -or $name -isnot [string]) { return \"\" }", "    if (!$name.StartsWith(\"__MSG_\") -or !$name.EndsWith(\"__\")) { return $name }", "    $key = $name.Substring(6, $name.Length - 8)", "    foreach ($locale in @(\"en\", \"en_US\", \"en_GB\", \"default\")) {", "        $msgFile = Join-Path $extPath (\"_locales\" + [char]92 + $locale + [char]92 + \"messages.json\")", "        if (Test-Path $msgFile) {", "            try {", "                foreach ($prop in (Get-Content $msgFile -Raw -Encoding UTF8 | ConvertFrom-Json).PSObject.Properties) {", "                    if ($prop.Name -ieq $key) { return [string]$prop.Value.message }", "                }", "            } catch {}", "        }", "    }", "    return [string]$name", "}", "", "function Get-ChromeInstallInfo($profileDir, $extId) {", "    $installDate = \"\"; $updateDate = \"\"; $source = \"Unknown\"", "    foreach ($pf in @(\"Secure Preferences\", \"Preferences\")) {", "        $p = Join-Path $profileDir $pf", "        if (!(Test-Path $p)) { continue }", "        try {", "            $info = (Get-Content $p -Raw | ConvertFrom-Json).extensions.settings.$extId", "            if (!$info) { continue }", "            if (!$installDate -and $info.install_time -and $info.install_time -ne \"0\") {", "                try { $installDate = [datetime]::new(1601,1,1).AddTicks([long]$info.install_time * 10).ToString(\"yyyy-MM-dd HH:mm:ss\") } catch {}", "            }", "            if (!$updateDate -and $info.last_update_time -and $info.last_update_time -ne \"0\") {", "                try { $updateDate = [datetime]::new(1601,1,1).AddTicks([long]$info.last_update_time * 10).ToString(\"yyyy-MM-dd HH:mm:ss\") } catch {}", "            }", "            $lm = @{1=\"WebStore\";4=\"ExternalPref\";5=\"ExternalRegistry\";6=\"Unpacked\";7=\"Component\";8=\"ExternalPrefDownload\";9=\"PolicyDownload\";10=\"CommandLine\";11=\"Policy\";12=\"ExternalComponent\"}", "            if ($lm.ContainsKey([int]$info.location)) { $source = $lm[[int]$info.location] }", "            if ($installDate) { break }", "        } catch {}", "    }", "    return $installDate, $updateDate, $source", "}", "", "# Enumerate ALL user profiles", "$usersDir = Join-Path $env:SystemDrive \"Users\"", "$skip = @(\"Public\", \"Default\", \"Default User\", \"All Users\")", "$userHomes = @()", "Get-ChildItem $usersDir -Directory -ErrorAction SilentlyContinue | Where-Object { $_.Name -notin $skip -and !$_.Name.StartsWith(\".\") } | ForEach-Object {", "    $userHomes += @{Name=$_.Name; Path=$_.FullName}", "}", "Write-Host \"[*] Found $($userHomes.Count) user(s): $($userHomes.Name -join ', ')\" -ForegroundColor Cyan", "", "$results = @()", "foreach ($uh in $userHomes) {", "    $un = $uh.Name; $hp = $uh.Path; $uc = 0", "    foreach ($bp in @(", "        @{N=\"Chrome\"; P=Join-Path $hp \"AppData\\Local\\Google\\Chrome\\User Data\"},", "        @{N=\"Edge\"; P=Join-Path $hp \"AppData\\Local\\Microsoft\\Edge\\User Data\"},", "        @{N=\"Brave\"; P=Join-Path $hp \"AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\"}", "    )) {", "        if (!(Test-Path $bp.P)) { continue }", "        Get-ChildItem $bp.P -Directory | Where-Object { $_.Name -match \"^(Default|Profile)\" } | ForEach-Object {", "            $prof = $_.Name; $pd = $_.FullName", "            $ed = Join-Path $pd \"Extensions\"", "            if (!(Test-Path $ed)) { return }", "            Get-ChildItem $ed -Directory | ForEach-Object {", "                $eid = $_.Name", "                if ($eid.Length -ne 32 -or $eid -notmatch \"^[a-z]+$\") { return }", "                $ver = Get-ChildItem $_.FullName -Directory | Sort-Object Name -Descending | Select-Object -First 1", "                if (!$ver) { return }", "                $mp = Join-Path $ver.FullName \"manifest.json\"", "                $en = \"\"; $pm = \"\"; $ds = \"\"; $vn = $ver.Name", "                if (Test-Path $mp) {", "                    try {", "                        $m = Get-Content $mp -Raw | ConvertFrom-Json", "                        $en = if ($m.name -is [array]) {$m.name -join \"\"} else {[string]$m.name}", "                        $vn = [string]$m.version", "                        $en = Resolve-MsgName $en $ver.FullName", "                        $rd = if ($m.description -is [array]) {$m.description -join \"\"} else {[string]$m.description}", "                        $ds = Resolve-MsgName $rd $ver.FullName", "                        $pm = (($m.permissions + $m.host_permissions + $m.optional_permissions) | Where-Object {$_}) -join \"; \"", "                    } catch {}", "                }", "                $id, $ud, $src = Get-ChromeInstallInfo $pd $eid", "                if (!$ud -and (Test-Path $mp)) { try { $ud = (Get-Item $mp).LastWriteTime.ToString(\"yyyy-MM-dd HH:mm:ss\") } catch {} }", "                if (!$id) { try { $id = $ver.CreationTime.ToString(\"yyyy-MM-dd HH:mm:ss\") } catch {} }", "                $mt = \"clean\"; $ct = \"\"; $cm = \"\"", "                if ($iocs.ContainsKey($eid)) { $mt = $iocs[$eid].feed; $ct = $iocs[$eid].category; $cm = $iocs[$eid].comment }", "                $results += [PSCustomObject]@{Computer=$env:COMPUTERNAME;User=$un;Browser=$bp.N;Profile=$prof;ExtensionID=$eid;Name=$en;Version=$vn;Permissions=$pm;Description=$ds;InstallDate=$id;UpdatedDate=$ud;Source=$src;IsSystem=\"No\";WebStoreURL=\"https://chromewebstore.google.com/detail/$eid\";EXTSENTRY_MATCH=$mt;EXTSENTRY_CATEGORY=$ct;EXTSENTRY_COMMENT=$cm}", "                $uc++", "            }", "        }", "    }", "    # Firefox", "    $fp = Join-Path $hp \"AppData\\Roaming\\Mozilla\\Firefox\\Profiles\"", "    if (Test-Path $fp) {", "        Get-ChildItem $fp -Directory | ForEach-Object {", "            $prof = $_.Name; $ej = Join-Path $_.FullName \"extensions.json\"", "            if (!(Test-Path $ej)) { return }", "            try {", "                foreach ($a in (Get-Content $ej -Raw | ConvertFrom-Json).addons) {", "                    if ($a.type -ne \"extension\") { continue }", "                    $aid = $a.id; $isSys = $false", "                    if ($a.isSystem -eq $true -or $a.isBuiltin -eq $true) { $isSys = $true }", "                    if ($a.location -like \"app-*\" -or $aid -match \"@mozilla\\.(org|com)$\") { $isSys = $true }", "                    $id = \"\"; $ud = \"\"", "                    if ($a.installDate) { try { $id = [datetime]::new(1970,1,1).AddMilliseconds($a.installDate).ToString(\"yyyy-MM-dd HH:mm:ss\") } catch {} }", "                    if ($a.updateDate) { try { $ud = [datetime]::new(1970,1,1).AddMilliseconds($a.updateDate).ToString(\"yyyy-MM-dd HH:mm:ss\") } catch {} }", "                    $su = if ($a.sourceURI) {$a.sourceURI} else {\"\"}", "                    $src = if ($su -match \"addons.mozilla.org\") {\"AMO\"} elseif ($a.location -eq \"app-profile\") {\"Profile\"} elseif ($isSys) {\"System/Built-in\"} elseif ($su) {\"Sideloaded\"} else {\"Unknown\"}", "                    $an = if ($a.name) {$a.name} elseif ($a.defaultLocale.name) {$a.defaultLocale.name} else {\"\"}", "                    $ad = if ($a.description) {$a.description} elseif ($a.defaultLocale.description) {$a.defaultLocale.description} else {\"\"}", "                    $mt = \"clean\"; $ct = \"\"; $cm = \"\"", "                    if ($iocs.ContainsKey($aid)) { $mt = $iocs[$aid].feed; $ct = $iocs[$aid].category; $cm = $iocs[$aid].comment }", "                    $results += [PSCustomObject]@{Computer=$env:COMPUTERNAME;User=$un;Browser=\"Firefox\";Profile=$prof;ExtensionID=$aid;Name=$an;Version=$a.version;Permissions=($a.userPermissions.permissions -join \"; \");Description=$ad;InstallDate=$id;UpdatedDate=$ud;Source=$src;IsSystem=$(if($isSys){\"Yes\"}else{\"No\"});WebStoreURL=$su;EXTSENTRY_MATCH=$mt;EXTSENTRY_CATEGORY=$ct;EXTSENTRY_COMMENT=$cm}", "                    $uc++", "                }", "            } catch {}", "        }", "    }", "    if ($uc -gt 0) { Write-Host \"    ${un}: $uc extensions\" }", "}", "", "$results | Export-Csv -Path $outputFile -NoTypeInformation -Encoding UTF8", "$ue = @($results | Where-Object {$_.IsSystem -ne \"Yes\"}); $se = @($results | Where-Object {$_.IsSystem -eq \"Yes\"})", "$mal = @($results | Where-Object {$_.EXTSENTRY_MATCH -eq \"MALICIOUS\"}).Count", "Write-Host \"`n[+] $($userHomes.Count) user(s) scanned: $($ue.Count) user ext + $($se.Count) system\" -ForegroundColor Green", "if ($mal -gt 0) {", "    Write-Host \"[!] MALICIOUS: $mal\" -ForegroundColor Red", "    $results | Where-Object {$_.EXTSENTRY_MATCH -eq \"MALICIOUS\"} | ForEach-Object {", "        Write-Host \"    >> [$($_.User)] $($_.Browser)/$($_.Profile): $($_.ExtensionID) - $($_.Name) [$($_.EXTSENTRY_CATEGORY)]\" -ForegroundColor Red", "    }", "}", "Write-Host \"[+] Report: $outputFile\" -ForegroundColor Green"].join('\n');
const INVENTORY_BASH = ["#!/bin/bash", "# ExtSentry - Extension Inventory & Threat Scanner v3 (Linux/macOS)", "# Scans ALL users. Run as root/sudo for full visibility.", "# Requires: python3, curl", "", "echo \"============================================================\"", "echo \"ExtSentry - Extension Inventory & Threat Scanner v3\"", "echo \"  Scanning ALL user profiles on this system\"", "echo \"============================================================\"", "", "SCRIPT_URL=\"https://raw.githubusercontent.com/extsentry/extsentry/main/scripts/inventory.py\"", "SCRIPT_FILE=$(mktemp /tmp/extsentry_XXXX.py)", "", "if curl -sL -o \"$SCRIPT_FILE\" \"$SCRIPT_URL\" 2>/dev/null && [ -s \"$SCRIPT_FILE\" ]; then", "    echo \"[+] Running latest scanner from GitHub\"", "    python3 \"$SCRIPT_FILE\"", "else", "    echo \"[!] Could not download - please use the Python script directly\"", "    echo \"    sudo python3 inventory.py\"", "fi", "rm -f \"$SCRIPT_FILE\""].join('\n');
function PolicyGenerator() {
  const [platform, setPlatform] = useState('chrome_gpo');
  const [strategy, setStrategy] = useState('blocklist');
  const [customIds, setCustomIds] = useState('');
  const [output, setOutput] = useState('');
  const [copied, setCopied] = useState(false);
  const malIds = useMemo(() => DATA_MAL.map(r => r.id).filter(id => id && id.length >= 10), []);
  const PLATFORMS = [{
    id: 'chrome_gpo',
    l: 'Chrome / Edge - GPO Registry',
    icon: 'Windows Group Policy'
  }, {
    id: 'chrome_json',
    l: 'Chrome / Edge - ExtensionSettings JSON',
    icon: 'Admin Console / Intune'
  }, {
    id: 'chrome_linux',
    l: 'Chrome / Edge - Linux managed policy',
    icon: '/etc/opt/chrome/policies/'
  }, {
    id: 'firefox_json',
    l: 'Firefox - policies.json',
    icon: 'Enterprise deployment'
  }, {
    id: 'intune_oma',
    l: 'Edge - Intune OMA-URI',
    icon: 'Microsoft Endpoint Manager'
  }];
  const STRATEGIES = [{
    id: 'blocklist',
    l: 'Block known malicious (recommended)',
    desc: 'Allow all extensions except those in the ExtSentry malicious feed. Least disruptive.'
  }, {
    id: 'allowlist',
    l: 'Allow only approved + block all others',
    desc: 'Block everything by default, only allow extensions you explicitly approve. Most secure.'
  }, {
    id: 'block_permissions',
    l: 'Block by dangerous permissions',
    desc: 'Block any extension that requests high-risk permissions like debugger, nativeMessaging, or proxy.'
  }];
  const generatePolicy = useCallback(() => {
    const extra = customIds.split(/[\n,;]+/).map(s => s.trim()).filter(s => s.length >= 10);
    const allBlockIds = [...new Set([...malIds, ...extra])];
    let result = '';
    if (platform === 'chrome_gpo') {
      if (strategy === 'blocklist') {
        result = ['; Chrome/Edge GPO - Block ExtSentry malicious extensions', '; Apply via: HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallBlocklist', '; For Edge:  HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallBlocklist', '; Import with: reg import extsentry_blocklist.reg', '', 'Windows Registry Editor Version 5.00', '', '[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallBlocklist]', ...allBlockIds.map((id, i) => `"${i + 1}"="${id}"`), '', '[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallBlocklist]', ...allBlockIds.map((id, i) => `"${i + 1}"="${id}"`)].join('\n');
      } else if (strategy === 'allowlist') {
        result = ['; Chrome/Edge GPO - Block all, allow only approved extensions', '; Step 1: Block all extensions', '; Step 2: Add approved IDs to the allowlist', '', 'Windows Registry Editor Version 5.00', '', '; Block ALL extensions by default', '[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallBlocklist]', '"1"="*"', '', '; Allowlist - add your approved extension IDs here', '[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist]', '; "1"="cjpalhdlnbpafiamejdnhcphjbkeiagm"', '; "2"="YOUR_EXTENSION_ID_HERE"', '', '; Same for Edge', '[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallBlocklist]', '"1"="*"', '', '[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallAllowlist]', '; "1"="cjpalhdlnbpafiamejdnhcphjbkeiagm"', '; "2"="YOUR_EXTENSION_ID_HERE"'].join('\n');
      } else {
        result = ['; Chrome/Edge GPO - Block extensions by dangerous permissions', '; NOTE: blocked_permissions requires ExtensionSettings JSON policy.', '; Registry (REG_MULTI_SZ) format is complex and error-prone.', '; Use the "ExtensionSettings JSON" platform tab instead for permission blocking.', ';', '; Alternatively, deploy via reg.exe commands:', '', 'Windows Registry Editor Version 5.00', '', '; For permission-based blocking, use the ExtensionSettings JSON format', '; and deploy via Chrome Enterprise Admin Console, Intune, or GPO Preferences.', '; See the "Chrome / Edge - ExtensionSettings JSON" tab for the correct JSON.'].join('\n');
      }
    } else if (platform === 'chrome_json') {
      if (strategy === 'blocklist') {
        const policy = {
          ExtensionSettings: {}
        };
        allBlockIds.forEach(id => {
          policy.ExtensionSettings[id] = {
            installation_mode: 'blocked'
          };
        });
        result = [JSON.stringify(policy, null, 2), '', '// Deploy via:', '//   Chrome Enterprise Admin Console > Apps & Extensions > Settings', '//   Intune > Configuration Profiles > Administrative Templates > Extensions', '//   macOS: /Library/Managed Preferences/com.google.Chrome.plist', '//   Windows GPO: Software\\Policies\\Google\\Chrome\\ExtensionSettings (REG_SZ)'].join('\n');
      } else if (strategy === 'allowlist') {
        const policy = {
          ExtensionSettings: {
            '*': {
              installation_mode: 'blocked'
            },
            'cjpalhdlnbpafiamejdnhcphjbkeiagm': {
              installation_mode: 'allowed'
            }
          }
        };
        result = [JSON.stringify(policy, null, 2), '', '// Blocks ALL extensions. Only those listed above with "allowed" can be installed.', '// Add your approved extensions above the closing }}.', '//', '// Supported installation_mode values:', '//   "allowed"          - user can install from Web Store', '//   "blocked"          - blocked, cannot install', '//   "force_installed"  - auto-installed, user cannot remove', '//     requires: "update_url": "https://clients2.google.com/service/update2/crx"', '//   "normal_installed" - auto-installed, user can remove', '//   "removed"          - silently uninstalled if present'].join('\n');
      } else {
        const policy = {
          ExtensionSettings: {
            '*': {
              blocked_permissions: ['debugger', 'nativeMessaging', 'proxy', 'management', 'desktopCapture', 'tabCapture']
            }
          }
        };
        result = [JSON.stringify(policy, null, 2), '', '// Blocks any extension requesting these permissions.', '// Other permissions you may want to add:', '//   "webRequestBlocking" - intercept/modify HTTP traffic (MitM)', '//   "clipboardRead"      - read clipboard contents', '//   "downloads.open"     - auto-open downloaded files'].join('\n');
      }
    } else if (platform === 'chrome_linux') {
      if (strategy === 'blocklist') {
        const policy = {
          ExtensionInstallBlocklist: allBlockIds
        };
        result = [JSON.stringify(policy, null, 2), '', '// Save as: /etc/opt/chrome/policies/managed/extsentry_blocklist.json', '// For Edge: /etc/opt/edge/policies/managed/extsentry_blocklist.json', '// Requires browser restart. File must be owned by root and readable.'].join('\n');
      } else if (strategy === 'allowlist') {
        const policy = {
          ExtensionInstallBlocklist: ['*'],
          ExtensionInstallAllowlist: ['cjpalhdlnbpafiamejdnhcphjbkeiagm']
        };
        result = [JSON.stringify(policy, null, 2), '', '// Save as: /etc/opt/chrome/policies/managed/extsentry_allowlist.json', '// Add approved extension IDs to ExtensionInstallAllowlist array.'].join('\n');
      } else {
        const policy = {
          ExtensionSettings: {
            '*': {
              blocked_permissions: ['debugger', 'nativeMessaging', 'proxy', 'management', 'desktopCapture', 'tabCapture']
            }
          }
        };
        result = [JSON.stringify(policy, null, 2), '', '// Save as: /etc/opt/chrome/policies/managed/extsentry_perms.json'].join('\n');
      }
    } else if (platform === 'firefox_json') {
      if (strategy === 'blocklist') {
        const policy = {
          policies: {
            ExtensionSettings: {}
          }
        };
        allBlockIds.forEach(id => {
          policy.policies.ExtensionSettings[id] = {
            installation_mode: 'blocked'
          };
        });
        result = [JSON.stringify(policy, null, 2), '', '// Save as policies.json in the Firefox distribution directory:', '//   Windows: C:\\Program Files\\Mozilla Firefox\\distribution\\policies.json', '//   macOS:   /Applications/Firefox.app/Contents/Resources/distribution/policies.json', '//   Linux:   /etc/firefox/policies/policies.json'].join('\n');
      } else if (strategy === 'allowlist') {
        const policy = {
          policies: {
            ExtensionSettings: {
              '*': {
                installation_mode: 'blocked'
              },
              'uBlock0@raymondhill.net': {
                installation_mode: 'allowed',
                install_url: 'https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi'
              }
            },
            InstallAddonsPermission: {
              Default: false
            }
          }
        };
        result = [JSON.stringify(policy, null, 2), '', '// Add approved add-ons with their AMO install URLs.', '// Firefox add-on IDs use the format "name@author" or "{guid}".', '// Find the ID in about:debugging#/runtime/this-firefox'].join('\n');
      } else {
        const policy = {
          policies: {
            ExtensionSettings: {
              '*': {
                blocked_permissions: ['nativeMessaging', 'proxy', 'management', 'browserSettings', 'privacy', 'pkcs11']
              }
            }
          }
        };
        result = [JSON.stringify(policy, null, 2), '', '// Firefox-specific high-risk permissions:', '//   nativeMessaging  - execute local binaries', '//   proxy            - redirect all traffic', '//   pkcs11           - access security devices', '//   management       - manage other add-ons', '//   browserSettings  - modify browser behavior'].join('\n');
      }
    } else if (platform === 'intune_oma') {
      if (strategy === 'blocklist') {
        const jsonPolicy = {};
        allBlockIds.forEach(id => {
          jsonPolicy[id] = {
            installation_mode: 'blocked'
          };
        });
        const jsonStr = JSON.stringify(jsonPolicy);
        result = ['// Microsoft Intune OMA-URI for Edge Extension Blocklist', '// Path: Configuration Profiles > Create Profile > Windows 10+ > Custom', '//', '// For large blocklists (' + allBlockIds.length + ' IDs), use ExtensionSettings:', '', '// OMA-URI:', './Device/Vendor/MSFT/Policy/Config/microsoft_edge~Policy~microsoft_edge~Extensions/ExtensionSettings', '', '// Data type: String', '// Value (paste this exactly):', '<enabled/><data id="ExtensionSettings" value=\'' + jsonStr.replace(/'/g, '&apos;') + '\'/>', '', '// WARNING: Intune has a ~4KB limit per OMA-URI value.', '// If the value exceeds 4KB, split across multiple policies', '// or use Intune Administrative Templates > Microsoft Edge > Extensions instead.'].join('\n');
      } else if (strategy === 'allowlist') {
        result = ['// Microsoft Intune OMA-URI for Edge Allowlist', '', '// OMA-URI:', './Device/Vendor/MSFT/Policy/Config/microsoft_edge~Policy~microsoft_edge~Extensions/ExtensionSettings', '', '// Data type: String', '// Value:', '<enabled/><data id="ExtensionSettings" value=\'{"*":{"installation_mode":"blocked"},"cjpalhdlnbpafiamejdnhcphjbkeiagm":{"installation_mode":"allowed"}}\'/>', '', '// Add approved extensions to the JSON value above.', '// Alternative: Use Intune Administrative Templates > Microsoft Edge > Extensions', '// which provides a GUI for managing blocklist/allowlist.'].join('\n');
      } else {
        result = ['// Microsoft Intune OMA-URI - Block by permissions', '', '// OMA-URI:', './Device/Vendor/MSFT/Policy/Config/microsoft_edge~Policy~microsoft_edge~Extensions/ExtensionSettings', '', '// Data type: String', '// Value:', '<enabled/><data id="ExtensionSettings" value=\'{"*":{"blocked_permissions":["debugger","nativeMessaging","proxy","management","desktopCapture","tabCapture"]}}\'/>'].join('\n');
      }
    }
    setOutput(result);
    setCopied(false);
  }, [platform, strategy, malIds, customIds]);
  const copyOutput = () => {
    navigator.clipboard && navigator.clipboard.writeText(output);
    setCopied(true);
    setTimeout(() => setCopied(false), 2000);
  };
  return /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 15,
      fontWeight: 700,
      color: '#e6edf3',
      marginBottom: 6
    }
  }, "Extension Policy Generator"), /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12.5,
      color: '#6e7681',
      marginBottom: 20
    }
  }, "Generate ready-to-deploy policies to block or control browser extensions across your fleet. Policies include the full ExtSentry malicious feed (", malIds.length, " extension IDs) as a pre-built blocklist."), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'grid',
      gridTemplateColumns: '1fr 1fr',
      gap: 20,
      marginBottom: 20
    }
  }, /*#__PURE__*/React.createElement(Section, {
    title: "1. Choose platform"
  }, PLATFORMS.map(p => /*#__PURE__*/React.createElement("div", {
    key: p.id,
    onClick: () => setPlatform(p.id),
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 10,
      padding: '10px 14px',
      background: platform === p.id ? '#161b22' : 'transparent',
      border: platform === p.id ? '1px solid #58a6ff33' : '1px solid #1b1f27',
      borderRadius: 8,
      cursor: 'pointer',
      marginBottom: 6
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      width: 6,
      height: 6,
      borderRadius: '50%',
      background: platform === p.id ? '#58a6ff' : '#30363d',
      flexShrink: 0
    }
  }), /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 12,
      fontWeight: platform === p.id ? 700 : 400,
      color: platform === p.id ? '#e6edf3' : '#8b949e'
    }
  }, p.l), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 10,
      color: '#484f58'
    }
  }, p.icon))))), /*#__PURE__*/React.createElement(Section, {
    title: "2. Choose strategy"
  }, STRATEGIES.map(s => /*#__PURE__*/React.createElement("div", {
    key: s.id,
    onClick: () => setStrategy(s.id),
    style: {
      display: 'flex',
      alignItems: 'flex-start',
      gap: 10,
      padding: '10px 14px',
      background: strategy === s.id ? '#161b22' : 'transparent',
      border: strategy === s.id ? '1px solid #58a6ff33' : '1px solid #1b1f27',
      borderRadius: 8,
      cursor: 'pointer',
      marginBottom: 6
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      width: 6,
      height: 6,
      borderRadius: '50%',
      background: strategy === s.id ? '#58a6ff' : '#30363d',
      flexShrink: 0,
      marginTop: 5
    }
  }), /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 12,
      fontWeight: strategy === s.id ? 700 : 400,
      color: strategy === s.id ? '#e6edf3' : '#8b949e'
    }
  }, s.l), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 10,
      color: '#484f58',
      lineHeight: 1.5
    }
  }, s.desc)))))), /*#__PURE__*/React.createElement(Section, {
    title: "3. Additional extension IDs to block (optional)"
  }, /*#__PURE__*/React.createElement("textarea", {
    value: customIds,
    onChange: e => setCustomIds(e.target.value),
    placeholder: "Paste additional extension IDs to include, one per line or comma-separated",
    style: {
      width: '100%',
      height: 60,
      padding: '10px 14px',
      background: '#161b22',
      border: '1px solid #1b1f27',
      borderRadius: 6,
      color: '#c8ccd4',
      fontSize: 12,
      fontFamily: mono,
      resize: 'vertical',
      marginBottom: 10
    }
  }), /*#__PURE__*/React.createElement("button", {
    onClick: generatePolicy,
    style: {
      padding: '10px 24px',
      background: '#58a6ff20',
      border: '1px solid #58a6ff33',
      borderRadius: 6,
      color: '#58a6ff',
      cursor: 'pointer',
      fontSize: 13,
      fontWeight: 700
    }
  }, "Generate Policy")), output && /*#__PURE__*/React.createElement("div", {
    style: {
      marginTop: 16
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      justifyContent: 'space-between',
      alignItems: 'center',
      marginBottom: 8
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 13,
      fontWeight: 700,
      color: '#e6edf3'
    }
  }, "Generated Policy"), /*#__PURE__*/React.createElement("button", {
    onClick: copyOutput,
    style: {
      padding: '5px 14px',
      background: '#161b22',
      border: '1px solid #30363d',
      borderRadius: 6,
      color: copied ? '#3fb950' : '#8b949e',
      cursor: 'pointer',
      fontSize: 11,
      fontFamily: mono
    }
  }, copied ? 'Copied' : 'Copy')), /*#__PURE__*/React.createElement(Code, null, output), strategy === 'blocklist' && /*#__PURE__*/React.createElement(Callout, {
    type: "info"
  }, "This policy blocks ", /*#__PURE__*/React.createElement("strong", null, malIds.length), " known malicious extension IDs from the ExtSentry feed", customIds.trim() ? ' plus your custom IDs' : '', ". To keep the blocklist current, regenerate periodically as the feed is updated."), strategy === 'allowlist' && /*#__PURE__*/React.createElement(Callout, {
    type: "warn"
  }, "Allowlist mode blocks ALL extensions not explicitly approved. Users will lose access to any extension not in the allowlist. Test in a pilot group before fleet-wide deployment."), strategy === 'block_permissions' && /*#__PURE__*/React.createElement(Callout, {
    type: "info"
  }, "Permission-based blocking stops any extension requesting dangerous capabilities, regardless of whether it is in the malicious feed. Combine with a blocklist for defense in depth.")));
}
function App() {
  const [tab, setTab] = useState('dashboard');
  const [feedSub, setFeedSub] = useState('malicious');
  const [guidePanel, setGuidePanel] = useState('traces');
  const tabs = [{
    id: 'dashboard',
    l: 'Dashboard'
  }, {
    id: 'feeds',
    l: 'Feeds'
  }, {
    id: 'checker',
    l: 'Extension Checker'
  }, {
    id: 'policy',
    l: 'Policy Generator'
  }, {
    id: 'guide',
    l: 'Investigation Guide'
  }];
  const feedSubs = [{
    id: 'malicious',
    l: 'Malicious',
    color: '#f85149',
    count: DATA_MAL.length
  }, {
    id: 'sensitive',
    l: 'Sensitive',
    color: '#d29922',
    count: DATA_SENS.length
  }, {
    id: 'download',
    l: 'Download Feeds',
    color: '#58a6ff'
  }];
  const gps = [{
    id: 'traces',
    l: 'Traces'
  }, {
    id: 'remediation',
    l: 'Remediation'
  }, {
    id: 'detection',
    l: 'Detection Rules',
    soon: true
  }];
  return /*#__PURE__*/React.createElement("div", {
    style: S.page
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      borderBottom: '1px solid #1b1f27',
      padding: '20px 28px 16px'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 12,
      marginBottom: 10
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      width: 34,
      height: 34,
      borderRadius: 8,
      overflow: 'hidden'
    }
  }, /*#__PURE__*/React.createElement("img", {
    src: "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAAoCAYAAACM/rhtAAAIVUlEQVR42u1YbXCU1RV+zr3vfm+ySUjIEj4SITRCSB1ByMB0jKOCaLFq6er4MUXrR6mVTofOtDqDbqLOtD8cq1ictloZKeI0i6O2o7VqqwEU+WwACUpCQiTfyW42u5vdffd97z39kdD6wykrSMfp8My8c/+c932fc+655zz3ABfwfw76qj7E4bAAINDWxpg/n9DYqIiIvxZOMSC+kDTz520pHP5iu/NLbiJy4A231fG2J55RzzVF+KVfrWce9J8m2RyC/JwzdN62WABYAbjqAasRYAAgIh6bWbTM/7un3hYu6cMbbwIDA9A1F+/NleB2d8tw1/tDEWpsqTRuWKznrN936igDRJPv5/PPMyKEiQgsLS+9+3srl77YBOgrGhok1i0p4CB7+7T4jYDy4cB+U7e3Kxw8bIrW1iXu3uQ9fZ27XFe838zPXGbWF5VX/ePIfSvnEMCc53bnY0QRQC8CHGnhXB8oKbqFvzP7ppaWFju6Zy8O9aP8hZ7ovGNbI4wPPnSiZ0AimzO0qXVq5755xQf6y9Bwz+pBw73potkXTy0Y7H2Ey+GLtIXoKyEYnkgDrqqtXRxPpmqSnin6j6mCbQMNVRumPPx4Qelbm+yO4sLo0ZE4YTzDum8IIClOugvFQE/vUs99C1/fPubYfLR0bu2Rzm7ORseWwo2ymyPbFefx/zMatE3m6XAmF8yC5I59B7Wrbqn70ZjzsWOvvtkx/a1XWrfdWl+6OgBwe5eApaGiSSrv7ECwtrLsiYPxS3b5q71RCPuNd9+jSnJFEcX4Z6HpnsY8ImicySAyuZ7q7rSmzpiFVw634dRIjMuC09RAT8w9x0q55bgNjGagxrIwTcVMhOiJk8CQA2kjoIeL3Xj6gz309KXT4S62kKgpmJ0NulubAH3OEQxNrgVKceFAH66fVkbxkQFcOn7KWJbNAqM5NpM5xIfGOZpSPGZPhDzhdMKM2bhxOEbq4za5Qgj6bgkBdnxsZNT4ZO5AB+dTcoy8ukRzSF55x+uiSjOeW7WMZbqf0NUXNXtjRc6SQilNzamMQlQBKWaMKoa0ckgpsFsp8ZCkaDuze/SzUd8Mrzoe9FFB1FnNU9BhnXMEiwFBN0fUsVwu7rJsWDMrFXx+qHTqkcNZ62fxxJhGLGkrhgIBKQZ6FbQ/p+2g0jQGfDxs8JIiomFjRilQHVjtLfI84H2pI4Aw6ExR/K8EmZl+D1i89ZeXv3D3Dcsr/F7N3SeIu3uAkYSsWWjsMe5cJTrmznFIAWMcoDgBU4lk1OV0xNcsp1lr5sdWmuh0Eoq0LMR4xeJp1qIVv/Csv2Z77nksQDhMYZxFCzzdwj5actlj/PhPmO/9Nqduu1znFk5RfJFD8/zCw1yHYn5t/Y7YlrUdLxfiD81SZJul4BcF/tZ6b/276uimMd62/KZ3JFYe9zg4ESyy24RU7xguO73mauYbZ98KgDgUkl8qB8OAoEeb9E+BhT3K3lDfdkjldu2GN5WTIzmApWTYqTpI8VrJD558yufHlCW2uLZXaxln6KkGTb+kpXWTuWPPb7vaUeQnbEnYWlMyTTu1oiGtVMnOgzz/m4F5ADhyFodEgKED/oolxwZjSrviypmBY8h2cTpn84BbCi+rk8GcHje0fKW/n5GxNASAQsCutLk2ddx8NmcIGMQJMA4nLLW0TZDOeA0IU3FXMuWY2mWOAkAoEuFJXcB5EaydNPT4jFOHRtNyXWJcVkuJ122bbyn101WmpYrS1sy+QrHe68cT7gTqA0wrKxRqCkwuH5a0lyWiOY03q4PGjr2nrC3SaVCL14FjaUtc5hTO7qT15yuTuRcAiEnh8KW1I80HnFc5/X/6BmTaBwxVAHrz3HJ9oMBhfwroT900kLjLX3baTa5DHc8QdzGDjq+DCw7gvVLatJHAT3oM61aX1IVAogLYCPxbgp27aG7wYMb1And8y5B8pK7S2uuRepdHqn2S+EQp9fMVjmf5Ptec02eRn/aX8SrX/Z/OEft/LsDrAPPXbqkfKzC2/xiocBLAi+Bo/g/Jsy7U1ADIlgx6VgPJaxwCfq8fyayGxyASBJWJcbBzv/0jbwduH66mLaXl4tXBTenNXTGevjvGcpChTAL5iSgoRP/DQB8YxtEMKJTHtoozidnbAOIwxAIBV7sCjseTsJgRtTRyNoushhpIsT7Qw4UnO/mBQ//Uf991XM/6ywiLgxq2Zgg3AyVEKHQZgkOQo9cFFtS2wTpXsTDh3SI4qAnWndJpxoWhiosLtK+8mJK2jZyyydIQ2UQGIOghGxxPMaU9Di4T4AATIKD8RKrG65SjrF1iO1TyuonLVCPATefai394ACYAQErJSsmHDndIh8OAUhoJrbBqeimvdDnRPTxGKYD8AQ9afS6xI5qCjxgODQgiY/dYBlVKf8QM+N+IH8pX9ht5CFZuApDL2e0x2B9+lmaZgckakDFg7lrDFahQKY4CNA6wW0gaZhFtNe1PygFDALYb4CTw8lbg+RAgm8NgNOH8XEklAIMm1htdnpeStTM5ClgfALqZYG8E+K/zKg65xET1cBDgERMZzYCYfPIuLXk36fca4A83wFAA2QzaUFnpTivZsNNmVVLuIwlAMtRsp0ByMKof1Cx6r3bPensW3Ks0ZJhhAGACNH2Jopy3JwxQI0C1IVAkAjQD/H1PYGcQallNuUdVprPoMy3ZDcaJrH1t1YPq7bXvu2YFh80+akPufzJSYEzot0l5RM8XTKlZKz27qgE1WwqeJ6irCrhFCmD/Iji+NnOdyx2OukVA/f2AfzIdDAaIQ2fuFOcV4S9I+DAmyJ3NmON8TbcoNHnYIhO3NMbXCfwVjvAu4AIu4CzwL7tS8sKVqcugAAAAAElFTkSuQmCC",
    alt: "ExtSentry",
    style: {
      width: 34,
      height: 34,
      borderRadius: 8
    }
  })), /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("h1", {
    style: {
      fontSize: 19,
      fontWeight: 800,
      letterSpacing: '-0.5px',
      color: '#e6edf3',
      fontFamily: sans
    }
  }, "Ext", /*#__PURE__*/React.createElement("span", {
    style: {
      color: '#f85149'
    }
  }, "Sentry")), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 10,
      color: '#484f58',
      letterSpacing: '2px',
      textTransform: 'uppercase',
      fontFamily: mono
    }
  }, "Browser Extension Threat Intelligence")), /*#__PURE__*/React.createElement("div", {
    style: {
      marginLeft: 'auto',
      display: 'flex',
      gap: 8,
      alignItems: 'center'
    }
  }, /*#__PURE__*/React.createElement(GhBtn, {
    href: "https://github.com/mthcht/awesome-lists/tree/main/Lists",
    label: "IOCs"
  }), /*#__PURE__*/React.createElement(GhBtn, {
    href: "https://github.com/extsentry",
    label: "ExtSentry"
  }))), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 4,
      flexWrap: 'wrap'
    }
  }, tabs.map(t => /*#__PURE__*/React.createElement("button", {
    key: t.id,
    onClick: () => setTab(t.id),
    style: {
      background: tab === t.id ? '#161b22' : 'transparent',
      border: tab === t.id ? '1px solid #30363d' : '1px solid transparent',
      color: tab === t.id ? '#e6edf3' : '#6e7681',
      padding: '7px 14px',
      borderRadius: 6,
      cursor: 'pointer',
      fontSize: 12,
      fontWeight: tab === t.id ? 700 : 400
    }
  }, t.l)))), /*#__PURE__*/React.createElement("div", {
    style: {
      padding: '24px 28px',
      maxWidth: 1400,
      margin: '0 auto'
    }
  }, tab === 'dashboard' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      marginBottom: 24,
      borderLeft: '3px solid #f85149'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 15,
      fontWeight: 700,
      color: '#e6edf3',
      marginBottom: 10
    }
  }, "Why browser extensions are a critical attack vector"), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 12.5,
      color: '#8b949e',
      lineHeight: 1.9
    },
    dangerouslySetInnerHTML: {
      __html: DASHBOARD_DESC
    }
  })), /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      marginBottom: 24,
      borderLeft: '3px solid #58a6ff'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 15,
      fontWeight: 700,
      color: '#e6edf3',
      marginBottom: 10
    }
  }, "Enterprise tools for browser extension visibility"), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 12.5,
      color: '#8b949e',
      lineHeight: 1.9
    }
  }, "Several security platforms provide visibility into browser extensions installed across your fleet. ", /*#__PURE__*/React.createElement("strong", null, "EDR/XDR platforms"), " can inventory extensions via endpoint telemetry: ", /*#__PURE__*/React.createElement("a", {
    href: "https://www.crowdstrike.com/platform/exposure-management/",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff'
    }
  }, "CrowdStrike Falcon Exposure Management"), " surfaces extension names, versions, permissions, risk levels, and Web Store status across all enrolled endpoints. ", /*#__PURE__*/React.createElement("a", {
    href: "https://learn.microsoft.com/en-us/defender-endpoint/device-discovery",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff'
    }
  }, "Microsoft Defender for Endpoint"), " exposes browser extension data through the DeviceTvmBrowserExtensions table in advanced hunting (", /*#__PURE__*/React.createElement("a", {
    href: "https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-browser-extensions",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff'
    }
  }, "browser extension vulnerability management"), ", ", /*#__PURE__*/React.createElement("a", {
    href: "https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff'
    }
  }, "Edge extension management"), ", ", /*#__PURE__*/React.createElement("a", {
    href: "https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-policies",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff'
    }
  }, "Edge extension policies"), "). ", /*#__PURE__*/React.createElement("a", {
    href: "https://www.sentinelone.com/platform/",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff'
    }
  }, "SentinelOne Singularity"), " provides endpoint queries to audit installed extensions across the fleet. For ", /*#__PURE__*/React.createElement("strong", null, "browser-native management"), ", ", /*#__PURE__*/React.createElement("a", {
    href: "https://chromeenterprise.google/products/chrome-enterprise-core/",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff'
    }
  }, "Chrome Enterprise Core"), " (free) gives IT admins a cloud console to enforce extension allowlists/blocklists, manage permissions, pin versions, and view installation reports across Windows, macOS, Linux, and mobile - it integrates with Intune, Workspace ONE, and Jamf. Microsoft Edge provides equivalent controls through Group Policy, Intune, or the Edge management service. For ", /*#__PURE__*/React.createElement("strong", null, "dedicated browser security platforms"), ", ", /*#__PURE__*/React.createElement("a", {
    href: "https://layerxsecurity.com/",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff'
    }
  }, "LayerX"), " deploys as a lightweight extension that monitors and blocks risky extensions in real-time with its Extensionpedia risk database. ", /*#__PURE__*/React.createElement("a", {
    href: "https://www.sqrx.com/",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff'
    }
  }, "SquareX"), " analyzes extension behavior dynamically at runtime using metadata, static code, and behavioral analysis. ", /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 14,
      marginTop: 14,
      padding: '12px 16px',
      background: 'rgba(88,166,255,0.06)',
      border: '1px solid rgba(88,166,255,0.18)',
      borderRadius: 8
    }
  }, /*#__PURE__*/React.createElement("img", {
    src: "magicsword.png",
    alt: "Magic Sword",
    style: {
      height: 36,
      objectFit: 'contain',
      flexShrink: 0,
      filter: 'brightness(1.1)'
    }
  }), /*#__PURE__*/React.createElement("span", null, /*#__PURE__*/React.createElement("a", {
    href: "https://www.magicsword.io/plan?utm_source=extsentry&utm_medium=affiliate&utm_campaign=community-widget",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff',
      fontWeight: 600
    }
  }, "Magic Sword"), " is a dedicated application control and browser extension management platform with the ExtSentry feed already integrated, giving you immediate threat coverage across your fleet. A free trial is available with this affiliated link.")))), /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      marginBottom: 24,
      borderLeft: '3px solid #58a6ff'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 15,
      fontWeight: 700,
      color: '#e6edf3',
      marginBottom: 10
    }
  }, "ExtSentry-Guard - A Browser Extension blocking Malicious Browser Extensions x)"), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 12.5,
      color: '#8b949e',
      lineHeight: 1.9
    }
  }, /*#__PURE__*/React.createElement("a", {
    href: "https://github.com/ExtSentry/ExtSentry-Guard",
    target: "_blank",
    rel: "noopener noreferrer",
    style: {
      color: '#58a6ff',
      fontWeight: 600
    }
  }, "ExtSentry-Guard"), " is a native browser extension that provides real-time protection directly in your browser - it automatically detects and blocks malicious extensions from being installed by checking them against the ExtSentry community threat feed, stopping threats before they can take hold.")), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'grid',
      gridTemplateColumns: '1fr 1fr',
      gap: 20,
      marginBottom: 24
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      borderLeft: '3px solid #f85149'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 8,
      marginBottom: 14
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 14,
      fontWeight: 700,
      color: '#f85149'
    }
  }, "Malicious Extensions"), /*#__PURE__*/React.createElement("span", {
    style: {
      marginLeft: 'auto',
      fontSize: 22,
      fontWeight: 800,
      color: '#f85149',
      fontFamily: mono
    }
  }, DATA_MAL.length)), /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12,
      color: '#8b949e',
      lineHeight: 1.7,
      marginBottom: 12
    }
  }, "Malware, compromised, scams, PUPs, credential access, defense evasion tools. ", /*#__PURE__*/React.createElement("strong", null, "Detect and remove immediately.")), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      flexWrap: 'wrap',
      gap: 5
    }
  }, Object.entries(CATS_MAL).sort((a, b) => b[1] - a[1]).map(([c, n]) => /*#__PURE__*/React.createElement("span", {
    key: c,
    style: {
      fontSize: 10,
      fontFamily: mono,
      color: '#8b949e',
      background: '#161b22',
      padding: '3px 8px',
      borderRadius: 4
    }
  }, c, ": ", n)))), /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      borderLeft: '3px solid #d29922'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 8,
      marginBottom: 14
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 14,
      fontWeight: 700,
      color: '#d29922'
    }
  }, "Sensitive Extensions"), /*#__PURE__*/React.createElement("span", {
    style: {
      marginLeft: 'auto',
      fontSize: 22,
      fontWeight: 800,
      color: '#d29922',
      fontFamily: mono
    }
  }, DATA_SENS.length)), /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12,
      color: '#8b949e',
      lineHeight: 1.7,
      marginBottom: 12
    }
  }, "Crypto wallets and password managers targeted by stealers. Not malicious themselves. ", /*#__PURE__*/React.createElement("strong", null, "Detect when targeted by malware.")), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      flexWrap: 'wrap',
      gap: 5
    }
  }, Object.entries(CATS_SENS).sort((a, b) => b[1] - a[1]).map(([c, n]) => /*#__PURE__*/React.createElement("span", {
    key: c,
    style: {
      fontSize: 10,
      fontFamily: mono,
      color: '#8b949e',
      background: '#161b22',
      padding: '3px 8px',
      borderRadius: 4
    }
  }, c, ": ", n))))), /*#__PURE__*/React.createElement("div", {
    style: {
      ...S.card,
      borderLeft: '3px solid #58a6ff'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 14,
      fontWeight: 700,
      color: '#58a6ff',
      marginBottom: 10
    }
  }, "How to use these feeds"), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 12.5,
      color: '#8b949e',
      lineHeight: 1.8
    }
  }, /*#__PURE__*/React.createElement("strong", null, "Malicious feed"), " - import into your SIEM/EDR/TIP to alert on and block. STIX for OpenCTI, MISP event for MISP, Sigma for any SIEM, KQL for Sentinel, NDJSON for Elastic.", /*#__PURE__*/React.createElement("br", null), /*#__PURE__*/React.createElement("strong", null, "Sensitive feed"), " - use in detection rules that trigger when a stealer accesses these extension storage directories.", /*#__PURE__*/React.createElement("br", null), /*#__PURE__*/React.createElement("strong", null, "Investigation Guide"), " - Traces documents forensic artifacts across Windows, macOS, and Linux. Remediation covers step-by-step cleanup and enterprise response."))), tab === 'feeds' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 6,
      marginBottom: 20
    }
  }, feedSubs.map(s => /*#__PURE__*/React.createElement("button", {
    key: s.id,
    onClick: () => setFeedSub(s.id),
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 6,
      background: feedSub === s.id ? '#161b22' : 'transparent',
      border: feedSub === s.id ? '1px solid ' + s.color + '33' : '1px solid #1b1f27',
      color: feedSub === s.id ? s.color : '#6e7681',
      padding: '8px 16px',
      borderRadius: 8,
      fontSize: 12,
      fontWeight: feedSub === s.id ? 700 : 400,
      cursor: 'pointer'
    }
  }, s.l, s.count != null && /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 10,
      fontFamily: mono,
      opacity: 0.7
    }
  }, "(", s.count, ")")))), feedSub === 'malicious' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 10,
      marginBottom: 16
    }
  }, /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 16,
      fontWeight: 700,
      color: '#f85149'
    }
  }, "Malicious Browser Extensions"), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      color: '#6e7681'
    }
  }, "Detect and remove")), /*#__PURE__*/React.createElement("span", {
    style: {
      marginLeft: 'auto',
      fontSize: 22,
      fontWeight: 800,
      color: '#f85149',
      fontFamily: mono
    }
  }, DATA_MAL.length)), /*#__PURE__*/React.createElement(DataTable, {
    data: DATA_MAL
  })), feedSub === 'sensitive' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      alignItems: 'center',
      gap: 10,
      marginBottom: 16
    }
  }, /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 16,
      fontWeight: 700,
      color: '#d29922'
    }
  }, "Sensitive Browser Extensions"), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11,
      color: '#6e7681'
    }
  }, "Detect when targeted by stealers")), /*#__PURE__*/React.createElement("span", {
    style: {
      marginLeft: 'auto',
      fontSize: 22,
      fontWeight: 800,
      color: '#d29922',
      fontFamily: mono
    }
  }, DATA_SENS.length)), /*#__PURE__*/React.createElement(DataTable, {
    data: DATA_SENS
  })), feedSub === 'download' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      marginBottom: 20
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      justifyContent: 'space-between',
      alignItems: 'center',
      marginBottom: 6
    }
  }, /*#__PURE__*/React.createElement("h2", {
    style: {
      fontSize: 17,
      fontWeight: 800,
      color: '#e6edf3'
    }
  }, "Download Feed Formats"), /*#__PURE__*/React.createElement(ContributeBtn, null)), /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12.5,
      color: '#6e7681'
    }
  }, "Each format is audited for platform-specific correctness. SHA-256 hashes included where available. Found a malicious extension not in our feeds? Contribute it.")), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'grid',
      gridTemplateColumns: 'repeat(auto-fill, minmax(280px, 1fr))',
      gap: 10
    }
  }, FEEDS.map((f, i) => /*#__PURE__*/React.createElement("div", {
    key: i,
    style: {
      background: '#0d1117',
      border: '1px solid #1b1f27',
      borderRadius: 10,
      padding: 16,
      display: 'flex',
      flexDirection: 'column'
    },
    onMouseEnter: e => e.currentTarget.style.borderColor = '#30363d',
    onMouseLeave: e => e.currentTarget.style.borderColor = '#1b1f27'
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      justifyContent: 'space-between',
      alignItems: 'flex-start',
      marginBottom: 6
    }
  }, /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 13,
      fontWeight: 700,
      color: '#e6edf3'
    }
  }, f.name), /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 9,
      background: '#161b22',
      padding: '2px 8px',
      borderRadius: 4,
      color: '#8b949e',
      fontFamily: mono
    }
  }, f.plat)), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 11.5,
      color: '#6e7681',
      lineHeight: 1.5,
      marginBottom: 10,
      flex: 1
    }
  }, f.desc), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 6
    }
  }, /*#__PURE__*/React.createElement("a", {
    href: FEED_BASE + (f.malFile || f.file),
    download: true,
    style: {
      flex: 1,
      padding: '6px 0',
      borderRadius: 6,
      background: '#f8514910',
      border: '1px solid #f8514925',
      textAlign: 'center',
      fontSize: 10,
      fontWeight: 600,
      color: '#f85149',
      fontFamily: mono,
      cursor: 'pointer',
      textDecoration: 'none'
    }
  }, "Malicious"), /*#__PURE__*/React.createElement("a", {
    href: FEED_BASE + (f.sensFile || f.file),
    download: true,
    style: {
      flex: 1,
      padding: '6px 0',
      borderRadius: 6,
      background: '#d2992210',
      border: '1px solid #d2992225',
      textAlign: 'center',
      fontSize: 10,
      fontWeight: 600,
      color: '#d29922',
      fontFamily: mono,
      cursor: 'pointer',
      textDecoration: 'none'
    }
  }, "Sensitive"))))))), tab === 'checker' && /*#__PURE__*/React.createElement(ExtensionChecker, null), tab === 'policy' && /*#__PURE__*/React.createElement(PolicyGenerator, null), tab === 'guide' && /*#__PURE__*/React.createElement("div", null, /*#__PURE__*/React.createElement("div", {
    style: {
      marginBottom: 20
    }
  }, /*#__PURE__*/React.createElement("h2", {
    style: {
      fontSize: 17,
      fontWeight: 800,
      color: '#e6edf3',
      marginBottom: 6
    }
  }, "Browser Extension Investigation Guide"), /*#__PURE__*/React.createElement("p", {
    style: {
      fontSize: 12.5,
      color: '#6e7681'
    }
  }, "Comprehensive forensic reference covering Windows, macOS, and Linux.")), /*#__PURE__*/React.createElement("div", {
    style: {
      display: 'flex',
      gap: 6,
      marginBottom: 20
    }
  }, gps.map(p => /*#__PURE__*/React.createElement("button", {
    key: p.id,
    onClick: () => !p.soon && setGuidePanel(p.id),
    style: {
      background: guidePanel === p.id ? '#161b22' : 'transparent',
      border: guidePanel === p.id ? '1px solid #58a6ff33' : '1px solid #1b1f27',
      color: guidePanel === p.id ? '#58a6ff' : p.soon ? '#484f58' : '#6e7681',
      padding: '8px 16px',
      borderRadius: 8,
      fontSize: 12,
      fontWeight: guidePanel === p.id ? 700 : 400,
      cursor: p.soon ? 'not-allowed' : 'pointer',
      opacity: p.soon ? 0.5 : 1
    }
  }, p.l, p.soon && /*#__PURE__*/React.createElement("span", {
    style: {
      fontSize: 9,
      background: '#21262d',
      padding: '2px 6px',
      borderRadius: 3,
      marginLeft: 6
    }
  }, "soon")))), guidePanel === 'traces' && /*#__PURE__*/React.createElement(TracesPanel, null), guidePanel === 'remediation' && /*#__PURE__*/React.createElement(RemediationPanel, null))), /*#__PURE__*/React.createElement("div", {
    style: {
      borderTop: '1px solid #1b1f27',
      padding: '18px 28px',
      marginTop: 40,
      display: 'flex',
      justifyContent: 'space-between'
    }
  }, /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 10,
      color: '#30363d',
      fontFamily: mono
    }
  }, "ExtSentry - Browser Extension Threat Intelligence - TLP:CLEAR"), /*#__PURE__*/React.createElement("div", {
    style: {
      fontSize: 10,
      color: '#21262d',
      fontFamily: mono
    }
  }, DATA_MAL.length, " malicious - ", DATA_SENS.length, " sensitive - ", FEEDS.length, " feed formats")));
}

// --- Runtime feed loader ---
let _feedLoaded = false;
let _feedError = null;

function loadFeed() {
  return fetch('feeds/extsentry_feed.json')
    .then(r => { if (!r.ok) throw new Error('Feed fetch failed: ' + r.status); return r.json(); })
    .then(feed => {
      const malRaw = [];
      const sensRaw = [];
      for (const ind of feed.indicators) {
        const entry = [
          ind.extension_name || '',
          ind.extension_id,
          '*' + ind.extension_id + '*',
          ind.category || '',
          ind.threat_type || '',
          ind.reference_url || '',
          ind.description || '',
          ind.crx_sha256 || ''
        ];
        if (ind.threat_type === 'sensitive') {
          sensRaw.push(entry);
        } else {
          malRaw.push(entry);
        }
      }
      RAW_MAL = malRaw;
      RAW_SENS = sensRaw;
      DATA_MAL = RAW_MAL.map(parse);
      DATA_SENS = RAW_SENS.map(parse);
      CATS_MAL = _.countBy(DATA_MAL, 'category');
      CATS_SENS = _.countBy(DATA_SENS, 'category');
      _feedLoaded = true;
    })
    .catch(err => {
      console.error('Failed to load ExtSentry feed:', err);
      _feedError = err.message;
      _feedLoaded = true;
    });
}

function AppWrapper() {
  const [ready, setReady] = useState(_feedLoaded);
  React.useEffect(() => {
    if (!_feedLoaded) {
      loadFeed().then(() => setReady(true));
    }
  }, []);
  if (!ready) {
    return React.createElement('div', {
      style: { display: 'flex', alignItems: 'center', justifyContent: 'center', minHeight: '100vh', background: '#0a0c10', color: '#8b949e', fontFamily: "'IBM Plex Sans', system-ui, sans-serif", flexDirection: 'column', gap: 16 }
    },
      React.createElement('div', { style: { fontSize: 28, fontWeight: 700, color: '#e6edf3' } }, 'ExtSentry'),
      React.createElement('div', { style: { fontSize: 14 } }, 'Loading threat intelligence feed...')
    );
  }
  if (_feedError) {
    return React.createElement('div', {
      style: { display: 'flex', alignItems: 'center', justifyContent: 'center', minHeight: '100vh', background: '#0a0c10', color: '#f85149', fontFamily: "'IBM Plex Sans', system-ui, sans-serif", flexDirection: 'column', gap: 16 }
    },
      React.createElement('div', { style: { fontSize: 28, fontWeight: 700, color: '#e6edf3' } }, 'ExtSentry'),
      React.createElement('div', { style: { fontSize: 14 } }, 'Failed to load feed: ' + _feedError)
    );
  }
  return React.createElement(App, null);
}

ReactDOM.render(/*#__PURE__*/React.createElement(AppWrapper, null), document.getElementById('root'));

</script>
</body>
</html>