Starting analysis...
XHunt – Your Crypto Co-pilot on X
Version 0.2.03 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a decent user base of 10,000 users and maintains a strong 4.6-star rating from 28 reviews, indicating positive user experiences. However, the lack of visible developer information and company details reduces transparency and accountability. The extension targets cryptocurrency users on X (formerly Twitter), which is a legitimate use case but also attracts malicious actors due to the financial nature of crypto activities.
The primary concern is the combination of scripting permissions with content script access to X.com, which allows the extension to read and modify all content on the platform. This creates potential for data harvesting of sensitive information like crypto wallet addresses, trading discussions, or personal financial data. The storage permission, while common, enables the extension to retain collected data locally. The crypto-focused nature makes it an attractive target for malicious updates or supply chain attacks, as crypto users are high-value targets for scammers.
Given the medium risk level, consider running this extension in a separate Chrome profile dedicated to crypto activities. Regularly review the extension's permissions and behavior for any suspicious changes. Be cautious about sharing sensitive crypto information while the extension is active. Monitor your accounts for unusual activity and consider using hardware wallets for significant crypto holdings. Keep the extension updated but watch for permission changes in future versions.
Findings
Security Analysis Details
Required Permissions:
- storage
- idle
- scripting
Embedded URLs (53 total):
| https://x.com/ | https://reactjs.org/docs/error-decoder.html?invariant= | |
| http://www.w3.org/1999/xlink | http://www.w3.org/XML/1998/namespace | |
| http://www.w3.org/2000/svg | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xhtml | https://kb.xhunt.ai | |
| https://api.memory.lol/v1/tw/ | https://kb.xhunt.ai/api | |
| https://github.com/zloirock/core-js/blob/v3.43.0/LICENSE | https://github.com/zloirock/core-js | |
| https://github.com/uuidjs/uuid#getrandomvalues-not-supported | https://m1.openfpcdn.io/fingerprintjs/v | |
| https://fpjs.dev/pro | https://github.com/AlphaHunt3/tweet-hunt-extension | |
| https://fonts.googleapis.com/css2?family=Edu+NSW+ACT+Cursive:wght@400..700&family=Lato:ital | http://fb.me/use-check-prop-types | |
| https://x.com/xhunt_ai | https://t.me/xhunt_ai | |
| https://oaewcvliegq6wyvp.public.blob.vercel-storage.com/rootdata-orange.png | http://www.w3.org/2000/xmlns/ | |
| https://abs.twimg.com/sticky/default_profile_images/default_profile_400x400.png | https://oaewcvliegq6wyvp.public.blob.vercel-storage.com/y1009.mp3 | |
| https://oaewcvliegq6wyvp.public.blob.vercel-storage.com/y1478.mp3 | https://oaewcvliegq6wyvp.public.blob.vercel-storage.com/y1561.mp3 | |
| https://oaewcvliegq6wyvp.public.blob.vercel-storage.com/y1873.mp3 | https://oaewcvliegq6wyvp.public.blob.vercel-storage.com/y2181.mp3 | |
| https://oaewcvliegq6wyvp.public.blob.vercel-storage.com/y899.mp3 | https://oaewcvliegq6wyvp.public.blob.vercel-storage.com/14428.mp3 | |
| https://oaewcvliegq6wyvp.public.blob.vercel-storage.com/15011.mp3 | https://oaewcvliegq6wyvp.public.blob.vercel-storage.com/xhunt_new.jpg | |
| https://x.com/search?q= | https://pbs.twimg.com/profile_images/1940131561103347712/f5y2qENu_400x400.jpg | |
| https://pbs.twimg.com/profile_images/1641014725655019521/YsHRUKTw_400x400.jpg | https://pbs.twimg.com/profile_images/1968722816154345472/vEj4j3o9_400x400.jpg | |
| https://pbs.twimg.com/profile_images/1876852353653227520/v4TY_1Tq_400x400.jpg | https://pbs.twimg.com/profile_images/1954817804336766976/eX6495qB_400x400.jpg | |
| https://pbs.twimg.com/profile_images/1944131484433993728/p_fsWT_w_400x400.png | https://pbs.twimg.com/profile_images/1972890046127841281/bpmkOcE-_400x400.jpg | |
| https://pbs.twimg.com/profile_images/1894706611538530304/w9AEcEL8_400x400.jpg | https://pbs.twimg.com/profile_images/1844399977482813442/1fTlYz2c_400x400.png | |
| https://pbs.twimg.com/profile_images/1975172164392300544/nAGo0mS9_400x400.jpg | https://pbs.twimg.com/profile_images/1880555856133332992/DQDrisim_400x400.jpg | |
| https://pbs.twimg.com/profile_images/1983562022999744512/KUHcfKj9_400x400.jpg | https://pbs.twimg.com/profile_images/1919664587772944384/yLx45XhG_400x400.jpg | |
| https://pbs.twimg.com/profile_images/1974032533588250624/sMfy8bGo_400x400.jpg | https://ipapi.co/json/ | |
| https://ip-api.com/json/ | https://ipinfo.io/json | |
| https://api.ipify.org?format=json | https://clients2.google.com/service/update2/crx | |
| https://kb.xhunt.ai/nacos-configs?dataId=xhunt_config&group=DEFAULT_GROUP |
Raw Manifest
{ "name": "XHunt – Your Crypto Co-pilot on X", "icons": { "16": "icon16.plasmo.6c567d50.png", "32": "icon32.plasmo.76b92899.png", "48": "icon48.plasmo.aced7582.png", "64": "icon64.plasmo.8bb5e6e0.png", "128": "icon128.plasmo.3c1ed2d2.png" }, "action": { "default_icon": { "16": "icon16.plasmo.6c567d50.png", "32": "icon32.plasmo.76b92899.png", "48": "icon48.plasmo.aced7582.png", "64": "icon64.plasmo.8bb5e6e0.png", "128": "icon128.plasmo.3c1ed2d2.png" } }, "author": "luykin", "version": "0.2.03", "background": { "service_worker": "static/background/index.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Your Crypto Co-pilot on X", "permissions": [ "storage", "idle", "scripting" ], "content_scripts": [ { "js": [ "utils.a56f1776.js" ], "css": [], "matches": [ "https://x.com/*" ] }, { "js": [ "Main.666beeeb.js" ], "css": [], "matches": [ "https://x.com/*" ] } ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "https://x.com/*" ], "resources": [ "icon.0024de64.png", "Main.3cd1bb78.css", "Main.eef117da.css", "Main.51383e2d.css", "Main.6fc17d50.css", "Main.fd881d45.css" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.