[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Nova Extension

Version 2.1.02 View in Chrome Web Store

Last scanned: 2 days ago | force re-scan

Extension Details

Rating: 2.5 ★ (41 ratings)

Users: 30,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a concerning trust profile with only 30,000 users and a poor 2.5-star rating from 41 reviews, suggesting user dissatisfaction. The lack of clear author and developer information raises transparency concerns. The extension appears to be related to cryptocurrency trading platforms based on the host permissions, which is a sector often targeted by malicious actors.

Concerns:

The extension requests excessive permissions that seem disproportionate to typical trading tools. The combination of tabs and webNavigation permissions allows comprehensive tracking of your browsing behavior across all websites. The broad host permissions spanning multiple cryptocurrency platforms (bullx.io, pump.fun, axiom.trade) and social media sites (X.com, Discord, Telegram) create significant attack surface. Content scripts injected into these sensitive platforms could potentially intercept trading activities, wallet interactions, or personal communications. The storage permission combined with navigation tracking could enable data collection and profiling.

Recommendations:

Given the high risk level, avoid installing this extension on your primary browser profile. If you must use it, create a dedicated Chrome profile specifically for cryptocurrency trading activities and limit sensitive browsing in that profile. Regularly monitor your accounts for unauthorized activity. Consider using established, well-reviewed trading platforms directly rather than through browser extensions. The poor rating and broad permissions suggest this extension may not provide reliable functionality and poses unnecessary security risks.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

tabs
webNavigation
activeTab
storage
sidePanel

Host Permissions:

https://click.tradeonnova.io/*
https://click2.tradeonnova.io/*
https://api.tradeonnova.io/*
https://photon-sol.tinyastro.io/*
https://bullx.io/*
https://backup.bullx.io/*
https://backup2.bullx.io/*
https://neo.bullx.io/*
https://neo-backup.bullx.io/*
https://legacy.bullx.io/*
https://gmgn.ai/*
https://axiom.trade/*
https://*.axiom.trade/*
https://x.com/*
https://pump.fun/*
https://discord.com/*
https://web.telegram.org/*

Embedded URLs (37 total):

https://reactjs.org/docs/error-decoder.html?invariant=	http://www.w3.org/1999/xlink
http://www.w3.org/XML/1998/namespace	http://www.w3.org/2000/svg
http://www.w3.org/1998/Math/MathML	http://www.w3.org/1999/xhtml
https://photon-sol.tinyastro.io/	https://bullx.io/
https://backup.bullx.io/	https://backup2.bullx.io/
https://neo.bullx.io/	https://neo-backup.bullx.io/
https://legacy.bullx.io/	https://gmgn.ai/
https://axiom.trade/	https://pump.fun/
https://discord.com/	https://web.telegram.org/a
https://web.telegram.org/k	https://click.tradeonnova.io/
https://click2.tradeonnova.io/	https://api.tradeonnova.io/
https://x.com/	https://twitter.com/
https://web.telegram.org/	https://api.tradeonnova.io/api-v1/click/version
https://api.tradeonnova.io/api-v1/elements	https://docs.tradeonnova.io/modules/nova-click/chrome-extension-workaround
https://api.tradeonnova.io/api-v1/transact	https://fonts.googleapis.com
https://fonts.gstatic.com	https://fonts.googleapis.com/css2?family=Mulish:ital
https://clients2.google.com/service/update2/crx	https://web.telegram.org/a/
https://web.telegram.org/k/	https://api.tradeonnova.io/api-v1/click/neo
https://api.axiom.trade/pair-info?pairAddress=

Raw Manifest

{
  "name": "Nova Extension",
  "icons": {
    "48": "icon-48.png",
    "128": "icon-128.png"
  },
  "action": {
    "default_popup": "index.html"
  },
  "version": "2.1.02",
  "background": {
    "service_worker": "src/background.js"
  },
  "side_panel": {
    "default_path": "sidepanel.html"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Buy, snipe & sell tokens on Solana using Nova Extension.",
  "permissions": [
    "tabs",
    "webNavigation",
    "activeTab",
    "storage",
    "sidePanel"
  ],
  "content_scripts": [
    {
      "js": [
        "src/base.js",
        "src/utils.js"
      ],
      "matches": [
        "https://click.tradeonnova.io/*",
        "https://click2.tradeonnova.io/*"
      ]
    },
    {
      "js": [
        "src/photon.js",
        "src/utils.js"
      ],
      "matches": [
        "https://photon-sol.tinyastro.io/*"
      ]
    },
    {
      "js": [
        "src/utils.js",
        "src/bullx.js"
      ],
      "matches": [
        "https://bullx.io/*",
        "https://backup.bullx.io/*",
        "https://backup2.bullx.io/*"
      ]
    },
    {
      "js": [
        "src/neobullx.js"
      ],
      "run_at": "document_start",
      "matches": [
        "https://neo.bullx.io/*"
      ]
    },
    {
      "js": [
        "src/utils.js",
        "src/neobackupbullx.js"
      ],
      "matches": [
        "https://neo-backup.bullx.io/*"
      ]
    },
    {
      "js": [
        "src/utils.js",
        "src/legacy-bullx.js"
      ],
      "matches": [
        "https://legacy.bullx.io/*"
      ]
    },
    {
      "js": [
        "src/utils.js",
        "src/gmgn.js"
      ],
      "matches": [
        "https://gmgn.ai/*"
      ]
    },
    {
      "js": [
        "src/utils.js",
        "src/axiom.js"
      ],
      "matches": [
        "https://axiom.trade/*"
      ]
    },
    {
      "js": [
        "src/utils.js",
        "src/twitter.js"
      ],
      "matches": [
        "https://x.com/*"
      ]
    },
    {
      "js": [
        "src/utils.js",
        "src/pumpfun.js"
      ],
      "matches": [
        "https://pump.fun/*"
      ]
    },
    {
      "js": [
        "src/utils.js",
        "src/discord.js"
      ],
      "matches": [
        "https://discord.com/*"
      ]
    },
    {
      "js": [
        "src/utils.js",
        "src/telegram-a.js"
      ],
      "matches": [
        "https://web.telegram.org/a/*"
      ]
    },
    {
      "js": [
        "src/utils.js",
        "src/telegram-k.js"
      ],
      "matches": [
        "https://web.telegram.org/k/*"
      ]
    }
  ],
  "host_permissions": [
    "https://click.tradeonnova.io/*",
    "https://click2.tradeonnova.io/*",
    "https://api.tradeonnova.io/*",
    "https://photon-sol.tinyastro.io/*",
    "https://bullx.io/*",
    "https://backup.bullx.io/*",
    "https://backup2.bullx.io/*",
    "https://neo.bullx.io/*",
    "https://neo-backup.bullx.io/*",
    "https://legacy.bullx.io/*",
    "https://gmgn.ai/*",
    "https://axiom.trade/*",
    "https://*.axiom.trade/*",
    "https://x.com/*",
    "https://pump.fun/*",
    "https://discord.com/*",
    "https://web.telegram.org/*"
  ],
  "manifest_version": 3
}

by ✦ Astarte

Nova Extension

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (37 total):

Raw Manifest

Detections

Manifest Findings