Excited to secure the developer endpoint right as everyone is becoming a developer
LimaCharlie released their Agentic SecOps Workspace recently which runs Claude Code in their UI including MCP servers. It's never been so easy to just say 'look at my detections and research the extensions'. Even though 1Password falls under an unapproved policy, at least it isn't malicious!
A Chrome extension with 7,000 users and a Google Featured badge was recently sold, weaponized, and pushed a malicious update to that executed code through a hidden pixel. Here's how it worked 👇
The new owner added a C2 server, stripped important security headers from all pages, and used a 1x1 invisible pixel's onload handler to execute remote JavaScript in pages. The actual malicious code never appears in the extension's source files, but the code update was worrying
The original extension still works perfectly. Google Lens integration, screen capture, all of it. Users would never notice anything beyond a single permission acceptance prompt. That's what makes extension supply chain attacks so dangerous.
We tracked this one from the moment it was listed for sale Oct 11th, through the ownership change, to the malicious update Feb 17th. Full technical breakdown of the pixel trick, the C2 infrastructure, and the CSP stripping.
annex.security/blog/pixel-p...
Today we're announcing that @secureannex.com has been acquired by @socket.dev! Supply chain security is a deceptively wide problem from open source code to browser extensions. Developers and IT teams can't stop it from impacting their organization alone.
secureannex.com/blog/annex-a...
. @socket.dev just acquired @secureannex.com, the extension security company built by @johntuckner.me. John is joining Socket.
John built Secure Annex as a solo founder into a product that security teams at Reddit, Brave, Torq, and Movable Ink depend on.
