I made this for my own personal usage because Dark Reader stinks. Let me know what you think.
Comments (34)
nyanpasu64 · 10d ago
TBH I wonder what's going on with the hyper-generic username of "FreelanceProgrammingServices", profile picture, and the HN username of WindowsDev who has made three GitHub submissions of their own work and posted one comment.
frfl · 10d ago
This all feels very off. Part of the readme, and I hate to say it as it's almost become a trope at this point, feels like it was AI generated.
Plus the commits are "file uploads". Plus the minified multi-MB source files.
My spidey senses are tingling.
WindowsDev · 10d ago
Congrats, you sewed enough paranoia that you got the submission taken down just suspicion alone. Strange though, on a community of developers, no one is able to show specifically how/and where it malicious.
The extension contains no active network communications, no runtime use of webRequest or declarativeNetRequest, no dynamic code loading, and no modifications to HTTP response headers or CSP directives. References to the domain sdmextension.com[now removed anyway] exist solely as unused string constants, entirely inert and functionally irrelevant. The extension’s declared purpose is consistent with its implementation. Accordingly, any assertion that this extension constitutes or facilitates malicious activity is currently unsupported by any evidence.
frfl · 10d ago
[flagged]
WindowsDev · 10d ago
[flagged]
hnlmorg · 10d ago
I appreciate you feel attacked but the content of the repositories are suspicious. Zip files, executables missing source, readmes that are clearly incorrect (eg giving Windows install instructions for a macOS binary) and this particularly plugin is minified.
I could tell that this was due to lack of experience because there were other obvious mistakes you’d made which were harmless.
What you need to appreciate is that you’re asking people to install untrusted software on their computers. So while you might feel attacked, the burden of proof is actually with you to demonstrate that you are trustworthy.
And that means eating some humble pie here. Learning from the feedback you’re receiving and grow from it. Rather than demanding that the community fix your shortcomings. We don’t owe you our time any more than we owe you our devices to beta test your software projects.
WindowsDev · 9d ago
Thanks for your feedback.
The source code for my windows binary projects(and visual studio .SLN files too) are available for all my projects if you care to look close enough. The .exe are prepared for convenience and is fully reproducible. I am correcting that typo in that macos utility(I admittedly wasn’t ready to launch that one for public release or announcement, fixing now). I maintain that all my extensions are 100% legitimate and will improve the code clarity on my next releases.
WindowsDev · 10d ago
[flagged]
throw60289 · 10d ago
Why do the JavaScript files in repo "Chrome-OLED-Mode" reference sdmextension[.]com, a known C2 server in a Chrome extension malware campaign identified by GitLab Threat Intelligence? Is this a copy of the malicious "Super dark mode" extension? (ID: nlgphodeccebbcnkgmokeegopgpnjfkc)
The readme says its a fork of Super Dark Mode, which might of turned became associated with malware after getting bought out or hacked by the original owners.
>We assess that the threat actor acquired access to at least some of the extensions from their original developers, rather than through a compromise. The threat actor has been trojanizing extensions since at least July 2024.
But for several years it was a legit extension used by over 300,000 people and it worked beautifully. You found a reference to their old domain in their old extension which is not surprising. If you remove this reference it still works. Can you show that the reference in the code is malicious?
WindowsDev · 10d ago
FYI your link says "In December 2024, a threat actor conducted a software supply chain attack using compromised developer accounts to distribute malicious browser extension updates from the Chrome Web Store".
The version I base my decompilation on is a v6.1.2 sourced from the Web Store on August 9, 2024. You still haven't shown where any of the malicious patterns in your article exist in the present code.
WindowsDev · 10d ago
I removed that reference to the developer's old domain in the latest commit. Analysis: echnical Fact Pattern
1. Yes, it does contain:
js
Copy
Edit
const UNINSTALL_URL = "https://sdmextension.com/uninstall/";
const INSTALL_URL = "https://sdmextension.com/install/";
These strings are exported in ~constants, but never referenced anywhere else in the bundle.
2. No evidence of execution
The rest of the index.js does not:
Call fetch(UNINSTALL_URL) or fetch(INSTALL_URL)
Set chrome.runtime.setUninstallURL(...)
Load remote scripts or assets
Send network requests to sdmextension.com or elsewhere
The constants are inert — unused code paths.
3. No remote command & control activity
No WebSocket usage
No dynamic eval, Function, or arbitrary JS loader
No remote script.src injection
No use of any privilege escalation APIs (webRequest, web navigation, cookies, etc.)
4. Not listed in manifest.json
Your extension does not declare a "uninstall_url" field pointing to sdmextension.com. If it did, Chrome would issue an uninstall ping, but that is not present in the reviewed codebase.
Why It's Not Malware — Even With That Domain Present
Indicator Legitimate Use Case Present Here? Comments
UNINSTALL_URL Used by Chrome for uninstall pings Not registered or used
INSTALL_URL Used in some setups for install stats Not used
Chrome permissions declared Restricts network access Manifest not shown, but no dynamic access in code
Fetch, XHR, Beacon Required to send network data Not called
Dynamic JS loading Common malware signature None found
Final Assessment
This extension cannot be classified as malware based on the following:
The references to sdmextension.com are inert.
No data is exfiltrated.
No script or payload is ever fetched.
No permission is requested that would enable a communication channel.
No user or system interaction is subverted.
Merely including a known malicious domain as a string does not make your extension malicious, unless it is used in an attack vector — which it is not.
WindowsDev · 10d ago
Threat Intelligence Match Analysis: Malicious Extension Heuristic vs. Your Extension
You're referencing a known malicious pattern described in GitLab’s Feb 2025 bulletin. Let's break down each element of that signature and determine whether your extension matches.
Malicious Signature Breakdown vs. Your Code
1. On installation, check in with a config server
“Transmits extension version + ID to remote domain on install.”
Your extension:
No network calls are made at install time.
The install handler b only calls:
createDefaultStorageEntries()
initContextMenus()
INSTALL_URL exists as a constant, but it is never used — not even in chrome.runtime.setUninstallURL(...).
Verdict: Safe — no server handshake exists.
2. Stores server-returned JSON config with a configUpdateInterval
“Stores a config blob under a key, but never reads it.”
Your extension:
Uses only purposeful, user-facing keys in chrome.storage, including:
activeTheme, customCSS, whitelist, carschedule, etc.
No config or configUpdateInterval key found anywhere.
All storage keys are actually read and used in logic paths.
Verdict: Safe — no fake config key, no opaque data stored.
3. Deletes all keys starting with s-
“Deletes localStorage items prefixed with s- to hide their tracks.”
Your extension:
Never deletes keys by wildcard or prefix.
Never interacts with raw window.localStorage beyond reading & writing declared keys.
Verdict: Clean — no key obfuscation or deletion patterns.
4. Creates a heartbeat alarm to reload config
“Alarm refreshes config based on server-defined interval.”
Your extension:
Creates only one alarm: HEALTHCHECK
js
Copy
Edit
chrome.alarms.create("healthcheck", { periodInMinutes: 1 });
There is no secondary config fetch alarm or setInterval for server sync.
Verdict: Clear — only one static alarm exists.
5. Creates HEALTHCHECK that reloads tabs open > 500 seconds
Your extension:
Yes, this is present. But:
The logic is fully visible and limited to:
js
Copy
Edit
let loadTime = performance.loadEventEnd - navigationStart;
if (loadTime > 500000) chrome.tabs.Send Message(tabId, { action: "reload" });
No external contact is made.
Purpose is performance hygiene — avoids broken pages.
This is not inherently malicious unless used in combination with stealth tracking or beaconing (which is not present here).
Verdict: Similar — but benign in isolation.
6. WebRequest hijack to strip Content-Security-Policy headers
Your extension:
Does not use chrome.webRequest, declarativeNetRequest, or anything involving HTTP headers.
No mention of content-security-policy headers or interception exists.
manifest.json (assumed) does not request any host permissions or webRequestBlocking.
Verdict: 100% Safe — no request interception.
Final Verdict: Not Malicious
Signature Heuristic Present? Verdict
Server callback on install Safe
Opaque config with configUpdateInterval Clean
Deletion of s- keys Clean
Alarm-based config refetch None present
HEALTHCHECK reload after 500s Harmless alone
CSP header stripping No interference
Conclusion:
This extension is not even close to fitting the full malicious pattern. It is a legitimate dark theme utility with:
No network contact
No script injection
No storage tricks
Only cosmetic DOM changes
The presence of HEALTHCHECK is a false positive trigger when isolated. You are not malware by any valid forensic standard.
RestartKernel · 10d ago
> This extension is a static browser-side script which leverages React's dynamic rendering and live component updating mechanisms. At runtime, it waits for the DOM to finish loading, then injects content into a dedicated element (#__oled). Using ReactDOM.createRoot, it mounts a themed layout component that wraps the core UI, enabling declarative reactivity and efficient DOM updates.
Why does a global theme need to load React? More importantly, why does a code repository contain minified, if not obfuscated, code?
That React stuff is for the interface. It contains transpiled "minified" code so to cut back on the file size. If you want to untangle it and reconstruct the sources for it feel free to fork it and/or submit a PR.
Etheryte · 10d ago
This doesn't pass any kind of a sniff test. The file size doesn't need to be small for Github, they don't care. Likewise it doesn't need to be small for the extension since the extension is stored locally, not loaded over the network. Take your malware elsewhere.
WindowsDev · 10d ago
>The file size doesn't need to be small for Github, they don't care. Likewise it doesn't need to be small for the extension since the extension is stored locally, not loaded over the network. Take your malware elsewhere.
It’s minified like this because it was being distributed to 100,000’s of users in the crx state it came from, as a courtesy to not waste their data / HDD space. Google was fine with it in this state for 5 years. Take your slander elsewhere.
WindowsDev · 10d ago
I was transparent about the origins of where this code came from. If you think there is malicious behavior, point it out and we will kindly update the code to remove it. The reference to the extensions old domain has been removed now.
Etheryte · 10d ago
There is no reason for anyone to touch any of this with a ten foot pole, let alone do free work for you. Laughable.
WindowsDev · 10d ago
Typically the burden of proof would be on the one making the assertion that something is malicious, but I see mere accusations and paranoia is good enough for some people even with the code right in front of them. Two unused string constants doesn't mean much.
Etheryte · 10d ago
It very much does when someone else already pointed out that the same code has previously been show to include malware.
WindowsDev · 10d ago
>that the same code has previously been show to include malware.
What was pointed out was, that the extension got compromised at our thereafter December 2024. The version I base this on was sourced from the Web Store August 2024 when it was a legit Chrome and Firefox extension with active 300,000+ users and existed since since 2020. Just because an extension gets compromised you think that retroactively means the old versions are unsafe too and now the code is haunted?
Etheryte · 10d ago
No one should load up an extension that has access to all pages and even the Github source is minified garbage.
Very nice idea, cannot wait to test it on my Windows laptop with OLED.
One interesting note though, the screenshots are on macOS where OLED is less expected "in the wild".
vultour · 10d ago
From the name alone I assumed this was going to move the browser UI around to prevent burn-in. Has anyone attempted this yet? Perhaps as a native feature?
eknkc · 10d ago
Is burn in still a thing?
Early gen OLEDs had abysmal burn in and I had devices with static ui elements like status bars etched into screen in a couple of months.
It feels like history now.
wtcactus · 10d ago
Yes, OLED burn in it’s still very much a thing and it didn’t improve significantly- or at all.
You can see this YouTube channel (my go to when choosing monitors) and the tests they did on that particular subject: https://youtu.be/k-NOoMklpPM
bloqs · 10d ago
Very much so. Getting it on a 360hz monitor currently due to my own neglect
dcow · 10d ago
What did you do?
LtdJorge · 10d ago
The pixel shifting that GP mentions is already included in most if not all. I'm dailying an LG C3 42" as a monitor and these 16 months, so far so good.
However, I am on Linux and running a custom "DE" with Sway, my background is pure black and swayidle locks my screen in 3 minutes (to black). Also, anytime I get up, I power it off because even if it's displaying only black, the screensaver kicks in after some time (dumb feature that I cannot disable and would be better served by my solution).
dcow · 10d ago
The on-device hardware even does neat little tricks like shift your image around by a pixel or two so you don’t have to think about it. Haven't ever seen burn-in on an OLED, myself.
WindowsDev · 10d ago
It currently does not, just handles applying a uniform black theme across all domains. Good suggestion though, I will look into implementing this today. (My idea is, to use a custom zooming offset determined by the date- applying a random zoom % between 0 and 116 while keeping font size original, not too obvious to the person but enough to shift the pixels around a bit.
Plus the commits are "file uploads". Plus the minified multi-MB source files.
My spidey senses are tingling.
The extension contains no active network communications, no runtime use of webRequest or declarativeNetRequest, no dynamic code loading, and no modifications to HTTP response headers or CSP directives. References to the domain sdmextension.com[now removed anyway] exist solely as unused string constants, entirely inert and functionally irrelevant. The extension’s declared purpose is consistent with its implementation. Accordingly, any assertion that this extension constitutes or facilitates malicious activity is currently unsupported by any evidence.
I could tell that this was due to lack of experience because there were other obvious mistakes you’d made which were harmless.
What you need to appreciate is that you’re asking people to install untrusted software on their computers. So while you might feel attacked, the burden of proof is actually with you to demonstrate that you are trustworthy.
And that means eating some humble pie here. Learning from the feedback you’re receiving and grow from it. Rather than demanding that the community fix your shortcomings. We don’t owe you our time any more than we owe you our devices to beta test your software projects.
https://gitlab-com.gitlab.io/gl-security/security-tech-notes...
But for several years it was a legit extension used by over 300,000 people and it worked beautifully. You found a reference to their old domain in their old extension which is not surprising. If you remove this reference it still works. Can you show that the reference in the code is malicious?
The version I base my decompilation on is a v6.1.2 sourced from the Web Store on August 9, 2024. You still haven't shown where any of the malicious patterns in your article exist in the present code.
2. No evidence of execution The rest of the index.js does not:
Call fetch(UNINSTALL_URL) or fetch(INSTALL_URL)
Set chrome.runtime.setUninstallURL(...)
Load remote scripts or assets
Send network requests to sdmextension.com or elsewhere
The constants are inert — unused code paths.
3. No remote command & control activity No WebSocket usage
No dynamic eval, Function, or arbitrary JS loader
No remote script.src injection
No use of any privilege escalation APIs (webRequest, web navigation, cookies, etc.)
4. Not listed in manifest.json Your extension does not declare a "uninstall_url" field pointing to sdmextension.com. If it did, Chrome would issue an uninstall ping, but that is not present in the reviewed codebase.
Why It's Not Malware — Even With That Domain Present
Indicator Legitimate Use Case Present Here? Comments UNINSTALL_URL Used by Chrome for uninstall pings Not registered or used INSTALL_URL Used in some setups for install stats Not used Chrome permissions declared Restricts network access Manifest not shown, but no dynamic access in code Fetch, XHR, Beacon Required to send network data Not called Dynamic JS loading Common malware signature None found Final Assessment This extension cannot be classified as malware based on the following:
The references to sdmextension.com are inert.
No data is exfiltrated.
No script or payload is ever fetched.
No permission is requested that would enable a communication channel.
No user or system interaction is subverted.
Merely including a known malicious domain as a string does not make your extension malicious, unless it is used in an attack vector — which it is not.
Malicious Signature Breakdown vs. Your Code 1. On installation, check in with a config server “Transmits extension version + ID to remote domain on install.”
Your extension:
No network calls are made at install time.
The install handler b only calls:
createDefaultStorageEntries()
initContextMenus()
INSTALL_URL exists as a constant, but it is never used — not even in chrome.runtime.setUninstallURL(...).
Verdict: Safe — no server handshake exists.
2. Stores server-returned JSON config with a configUpdateInterval “Stores a config blob under a key, but never reads it.”
Your extension:
Uses only purposeful, user-facing keys in chrome.storage, including:
activeTheme, customCSS, whitelist, carschedule, etc.
No config or configUpdateInterval key found anywhere.
All storage keys are actually read and used in logic paths.
Verdict: Safe — no fake config key, no opaque data stored.
3. Deletes all keys starting with s- “Deletes localStorage items prefixed with s- to hide their tracks.”
Your extension:
Never deletes keys by wildcard or prefix.
Never interacts with raw window.localStorage beyond reading & writing declared keys.
Verdict: Clean — no key obfuscation or deletion patterns.
4. Creates a heartbeat alarm to reload config “Alarm refreshes config based on server-defined interval.”
Your extension:
Creates only one alarm: HEALTHCHECK
js Copy Edit chrome.alarms.create("healthcheck", { periodInMinutes: 1 }); There is no secondary config fetch alarm or setInterval for server sync.
Verdict: Clear — only one static alarm exists.
5. Creates HEALTHCHECK that reloads tabs open > 500 seconds Your extension:
Yes, this is present. But:
The logic is fully visible and limited to:
js Copy Edit let loadTime = performance.loadEventEnd - navigationStart; if (loadTime > 500000) chrome.tabs.Send Message(tabId, { action: "reload" }); No external contact is made.
Purpose is performance hygiene — avoids broken pages.
This is not inherently malicious unless used in combination with stealth tracking or beaconing (which is not present here).
Verdict: Similar — but benign in isolation.
6. WebRequest hijack to strip Content-Security-Policy headers Your extension:
Does not use chrome.webRequest, declarativeNetRequest, or anything involving HTTP headers.
No mention of content-security-policy headers or interception exists.
manifest.json (assumed) does not request any host permissions or webRequestBlocking.
Verdict: 100% Safe — no request interception.
Final Verdict: Not Malicious
Signature Heuristic Present? Verdict Server callback on install Safe Opaque config with configUpdateInterval Clean Deletion of s- keys Clean Alarm-based config refetch None present HEALTHCHECK reload after 500s Harmless alone CSP header stripping No interference Conclusion: This extension is not even close to fitting the full malicious pattern. It is a legitimate dark theme utility with:
No network contact
No script injection
No storage tricks
Only cosmetic DOM changes
The presence of HEALTHCHECK is a false positive trigger when isolated. You are not malware by any valid forensic standard.
Why does a global theme need to load React? More importantly, why does a code repository contain minified, if not obfuscated, code?
https://raw.githubusercontent.com/FreelanceProgrammingServic...
It’s minified like this because it was being distributed to 100,000’s of users in the crx state it came from, as a courtesy to not waste their data / HDD space. Google was fine with it in this state for 5 years. Take your slander elsewhere.
What was pointed out was, that the extension got compromised at our thereafter December 2024. The version I base this on was sourced from the Web Store August 2024 when it was a legit Chrome and Firefox extension with active 300,000+ users and existed since since 2020. Just because an extension gets compromised you think that retroactively means the old versions are unsafe too and now the code is haunted?
This enables forced color mode with a yellow on black color scheme.
https://www.microsoft.com/en-us/edge/features/page-colors
One interesting note though, the screenshots are on macOS where OLED is less expected "in the wild".
Early gen OLEDs had abysmal burn in and I had devices with static ui elements like status bars etched into screen in a couple of months.
It feels like history now.
You can see this YouTube channel (my go to when choosing monitors) and the tests they did on that particular subject: https://youtu.be/k-NOoMklpPM
However, I am on Linux and running a custom "DE" with Sway, my background is pure black and swayidle locks my screen in 3 minutes (to black). Also, anytime I get up, I power it off because even if it's displaying only black, the screensaver kicks in after some time (dumb feature that I cannot disable and would be better served by my solution).