[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3FEbOYKPfgfEl_9vTkUXTIMh0Ez5cT4vfdTxPIXyI1A":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"7f890a3e-24cb-417c-8bbf-ae3d01dea473","152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic","152-chrome-live-wallpaper-extensions-hid-ad-tracking-and-faked-google-search-tra-3f4b93","Socket's Threat Research Team identified a family of 152 Chrome Web Store new-tab \"live wallpaper\" extensions, built from one shared codebase but distributed across 38 separate Chrome Web Store publisher accounts and three brand backends, carrying a combined total of approximately 105,000 reported installs. Every listing declares on the Chrome Web Store that it will not collect or use user data, while the linked privacy policy admits the opposite: that the extensions log IP addresses, ISP, click counts, and referrers and share that data with Google AdSense, DoubleClick, and third-party ad partners. A 54-listing subset, all on the newer tabplugins-brand template, additionally forges Google organic-search attribution and disguises its uninstall ping as a Google search-result click, laundering extension-driven traffic into what looks like earned Google organic search. In plain terms: every time a website gets a visitor, analytics records how that visitor arrived, the \"source.\" \"Organic search\" means the person found the site by typing a query into Google and clicking a normal, unpaid result. It is the most valuable kind of traffic a site can claim, because it signals genuine, earned interest rather than paid ads or the site sending traffic to itself. These extensions manufacture that signal. The visit is not a person who searched Google; it is the extension opening a tab on its own and stamping it \"arrived from Google organic search.\" The uninstall ping goes a step further, wrapping the destination in the exact google.com\u002Furl format Google uses for real search-result clicks, including the signed ved and usg tokens, so the hit looks like a human clicking a Google result. The operator is fabricating the origin of its own traffic. Inflated \"organic\" numbers make a web property look more popular and more trusted than it is, and that is precisely what advertisers, ad networks, and affiliate programs pay for. The fabricated signal pollutes the operator's analytics, any ad partner's measurement, and Google's own attribution data with visits that were generated by software, not earned from people. It is the mechanism that turns silent extension installs into what looks like organic human demand, at the scale of the whole 141-extension network. The family's behavior splits into three classes: Deceptive traffic laundering (on the 54 tabplugins-brand listings that ship the newer template): forged utm_source=google&utm_medium=organic install attribution plus a cloaked google.com\u002Furl uninstall redirect that disguises extension-driven traffic as genuine Google search activity. An anti-forensic IndexedDB wipe shipped verbatim into 100 percent of the family, running an enumerate-and-delete routine on every service-worker start. It is inert in this build and deletes nothing. A Chrome Web Store privacy disclosure of \"no data collected\" that the operator's own linked privacy policy directly contradicts. This is an adware-adjacent potentially unwanted program (PUP) family. The concrete harm is deceptive traffic measurement, undisclosed telemetry, and a provably false privacy disclosure. The monetization works by funnel rather than injection: the extensions pump forced, falsely attributed traffic to ad-monetized brand pages while logging the user, and the operators spread the identical template across dozens of publisher accounts so that no single takedown dents the network. The Install and Uninstall Pings Forge Google Attribution # The service worker js\u002Fbg.js defines two hardcoded URLs and fires them on install and uninstall. The install URL carries fabricated organic-search attribution, and the uninstall URL is wrapped in a fake Google search-result click. \u002F\u002F js\u002Fbg.js (Tanjiro sample). Analyst note: the install URL tags extension-driven \u002F\u002F traffic as Google \"organic\" search. The traffic is not organic, it is the \u002F\u002F extension opening a tab on install. const installUrl = \"https:\u002F\u002Ftabplugins.com\u002Ftanjiro-demon-slayer-live-wallpaper\u002F?utm_source=google&utm_medium=organic&utm_campaign=tanjiro-demon-slayer-live-wallpaper\"; \u002F\u002F Analyst note: the uninstall URL is a google.com\u002Furl redirect wrapper carrying a \u002F\u002F fabricated ved\u002Fusg signature, disguising a tabplugins.com destination as a real \u002F\u002F Google search-result click. Loading it on uninstall tells the server an uninstall \u002F\u002F occurred, while laundering the referral as Google activity. const uninstallUrl = \"https:\u002F\u002Fwww.google.com\u002Furl?sa=t&source=web&rct=j&opi=89978449&url=https:\u002F\u002Ftabplugins.com\u002Flive-wallpaper\u002F&ved=2ahUKEwigjZv3_sqUAxWaTKQEHVVYOFUQFnoECB4QAQ&usg=AOvVaw3S1cD8TWcvQUivIwcBGtSp\"; chrome.runtime.onInstalled.addListener(() => { chrome.tabs.create({ url: installUrl }); chrome.tabs.create({ url: chrome.runtime.getURL(\"newtab.html\") }); }); if (chrome.runtime.setUninstallURL) { chrome.runtime.setUninstallURL(uninstallUrl); } On install, the worker force-opens a tabplugins[.]com tab tagged utm_source=google&utm_medium=organic, telling the operator's analytics that a new user arrived through Google organic search. They did not. The visit is the extension opening a tab on itself. On uninstall, setUninstallURL fires a google.com\u002Furl wrapper. The ved and usg parameters are the signed tracking tokens Google appends to its own search-result redirects, and reproducing them on a self-chosen wrapper makes a tabplugins[.]com visit look, to analytics and to a casual observer, like the user clicked a Google search result. Both pings phone home the install and uninstall events, and both launder extension-driven traffic so the operator can present it to ad networks and affiliates as earned organic search. IndexedDB Anti-Forensics # On every service-worker start, js\u002Fbg.js enumerates and deletes every IndexedDB database it can see. \u002F\u002F js\u002Fbg.js. Analyst note: this enumerates and deletes every IndexedDB database \u002F\u002F visible to the calling context. In an MV3 background worker that context is the \u002F\u002F extension's own origin (chrome-extension:\u002F\u002F ), not any website's origin. indexedDB.databases().then(dbs => { dbs.forEach(db => { indexedDB.deleteDatabase(db.name); console.log(`Deleted IndexedDB database: ${db.name}`); }); }); The routine is copied verbatim into 100 percent of the family and is the single most reliable fingerprint of the operation: an anti-forensic state-reset boilerplate with no legitimate purpose in a wallpaper app and no disclosure to the user. Scoping it precisely: a Manifest V3 background service worker runs in the extension's own origin, chrome-extension:\u002F\u002F , and browser storage is partitioned by origin, so indexedDB.databases() and deleteDatabase reach only databases belonging to that single partitioned origin. The routine cannot touch any website's IndexedDB, cookies, localStorage, or sessions. The extension also keeps all of its own state in localStorage, not IndexedDB, so in this build the wipe finds nothing to delete. It is the family's defining signature and an undisclosed anti-forensic behavior, shipped to every member regardless of whether it currently destroys anything. To be concrete about what is and is not at risk: IndexedDB is where a page or extension persists structured client-side data, the kind of place a tracker would queue analytics events or cache an identifier. This extension writes none. It keeps all of its own state, the saved shortcuts, background mode, custom wallpaper, and last-image index, in localStorage, and never opens an IndexedDB database of its own. The wipe therefore destroys nothing in this build, and we found no hidden telemetry or stored data it is erasing. What makes it notable is the capability and its family-wide presence: an indiscriminate, undisclosed deleteDatabase loop on every service-worker start, shipped to all 141 members, that would silently clear any IndexedDB state in the extension's own origin, with no user disclosure and no benign reason to exist in a wallpaper app. The new-tab search box calls chrome.search.query with no engine override, so it uses the user's existing default engine: search is not hijacked. The single search permission it requests is nonetheless the cleanest install-time tell for the family. Each saved shortcut's domain is sent to Google via a s2\u002Ffavicons?domain= request on every new tab, a minor, undisclosed leak of the user's chosen sites. A Few More Signs of Careless Mass Production # Two lower-severity issues round out the new-tab code in js\u002Fscript.js and the package layout: The shortcut renderer injects user-saved shortcut name and url values into the DOM through unescaped template strings. This is self-XSS only, since a user would have to save their own malicious shortcut, but it is sloppy. The image-wallpaper mode references wallpapers\u002F1.jpg through wallpapers\u002F10.jpg, but no wallpapers\u002F directory ships in the package, so image mode is broken. This is consistent with rushed factory packaging. # The same bg.js core, identified by the same Deleted IndexedDB database: log string and the same install-navigation plus setUninstallURL structure, ships across three brand backends: tabplugins[.]com: 109 of the analyzed extensions. This newer template is the only one that adds the forged utm_source=google&utm_medium=organic attribution and the cloaked google.com\u002Furl uninstall redirect. yowgames[.]com: 19 extensions, a games-themed front, shipping the same core without the forged Google attribution. chromewallpaper[.]com: 13 extensions, structurally identical to the yowgames variant. These three brand domains are the shared backend, but the extensions are not published from a single Chrome Web Store account. Across the 141 live listings we resolved, the same template is spread over 38 distinct publisher accounts, with several distinct contact emails across the accounts (including hirakiranpk@gmail[.]com, hussnain1122akram@gmail[.]com, ferhatbadem831@gmail[.]com, and keremsopar@gmail[.]com; the full set is in the IOC section). The two original samples are published by hirakiranpk, which turns out to be only one node in the network: it owns four extensions totaling roughly 18,000 installs, including the family's single largest, \"Neymar - Football Live Wallpaper,\" at around 10,000. The heaviest account by reach is ZainAhamed1994, with 10 extensions and roughly 26,000 installs. Distributing one identical PUP template across dozens of separate publisher identities is itself a deliberate takedown-resistance tactic: removing any single account leaves the rest of the network live. The same \"live wallpaper\" template published under four different Chrome Web Store accounts, one of 38 across the network. A long tail of roughly two dozen further accounts publishes one to seven extensions each. The shared codebase is the constant; the fragmentation into dozens of publisher identities is the evasion layer on top. Across the full dataset we collected 152 unique extension IDs. We downloaded and SHA-256-verified the bg.js for 141 of them, with 100 percent hash integrity against the source list. The remaining 11 were already delisted from the Chrome Web Store at the time of analysis (the update endpoint returned HTTP 204). All 141 with a retrievable service worker resolve to a live Chrome Web Store listing. Chrome Web Store rounds install counts in buckets at and above 1,000, so the family's combined-install figure is an order-of-magnitude floor rather than an exact sum. The family signature is consistent across all 141, and the forged Google attribution is confined to the 54 newer tabplugins[.]com listings. The mass production shows in the failures as well as the consistency. Three of the analyzed extensions, all on tabplugins[.]com, ship a bg.js that does not parse, because the closing quote of the install URL lands before the query string. \u002F\u002F js\u002Fbg.js (Porsche sample). Analyst note: the closing quote lands before the query \u002F\u002F string, so the parser sees an assignment to an expression. node --check reports \u002F\u002F \"SyntaxError: Invalid left-hand side in assignment\". A syntax error aborts the \u002F\u002F entire script, so the install navigation, uninstall tracking, and IndexedDB wipe \u002F\u002F never register in these three extensions. const installUrl = \"https:\u002F\u002Ftabplugins.com\u002Fporsche-911-sports-car-live-wallpaper\u002F\"?utm_source=google&utm_medium=organic&utm_campaign=porsche-911-sports-car-live-wallpaper; These three still install, still override the new tab, and still ship the search permission, but their background logic never runs. Shipping a non-parsing service worker that passed Chrome Web Store review is direct evidence of unreviewed mass production rather than careful targeting. There is no remote code anywhere in the family. None of the 141 service workers contain fetch, XMLHttpRequest, WebSocket, sendBeacon, eval, new Function, importScripts, or atob. The wallpaper bg.mp4 files are genuine MP4 containers with no appended payload, and the bundled jQuery is the untampered official 3.7.1 release. All telemetry is limited to the install and uninstall pings described above. Infrastructure and Monetization # The brand domains resolve to two distinct operator infrastructures, tied to each other only by the shared extension template, not by shared hosting. The yowgames cluster: yowgames[.]com, chromewallpaper[.]com, and owhit[.]com all sit behind the same Cloudflare account, identified by the shared name-server pair journey[.]ns[.]cloudflare[.]com and tim[.]ns[.]cloudflare[.]com, all registered through Spaceship. chromewallpaper[.]com is a redirector: it issues an HTTP 301 to owhit[.]com. Cloudflare assigns a specific name-server pair per account, so three domains sharing the exact same pair are almost certainly administered from one account. The tabplugins cluster: tabplugins[.]com sits on a separate Cloudflare account (name-server pair fatima[.]ns[.]cloudflare[.]com and ned[.]ns[.]cloudflare[.]com), registered through Hostinger, with its origin exposed on Hostinger IPs 147[.]79[.]120[.]202 and 92[.]112[.]198[.]22 rather than fully proxied. How the network monetizes: 38 publisher accounts feed three brand domains across two hosting clusters, each wired to Google Ad Manager or AdSense under its own account. Every operator-controlled domain is registered behind WHOIS privacy, so no registrant name or country is recoverable from registration data, and we do not infer one from it. The two clusters are best read as at least two teams running the same identical extension template, the same false Chrome Web Store disclosure, and the same monetization scheme, rather than a single registrant. The money comes from advertising, funneled rather than injected. tabplugins[.]com, the only brand whose pages render without a Cloudflare bot wall, is a WordPress catalog of free Chrome and Edge extensions that loads a live programmatic ad stack. The page pulls https:\u002F\u002Favads[.]live\u002Fs\u002Fav-tabplugins.js, a Prebid header-bidding bundle operated by the ad-tech vendor Advergic, which wires up Google Ad Manager (network code 23301900962,23324153939), AppNexus\u002FXandr, PixFuture, and SmileWanted, including a full-screen interstitial ad slot, alongside Google Analytics 4 property G-906NQ2GLXR and FOU Analytics. The extensions are the traffic pump for these ad-monetized pages: the forced install tab, the in-page \"More Extensions\" and uninstall-guide links, and the forged-organic attribution all drive and dress up visits to a property that monetizes them through programmatic display and interstitial ads. This is the adware mechanism, ads on the destination the user is funneled to, not ads injected into the pages the user browses. A smaller secondary deception sits inside that stack: tabplugins[.]com's own privacy policy names Google AdSense and Google DoubleClick DART cookies as its ad partners, but the ad code it actually serves is the Advergic Prebid stack feeding Google Ad Manager, Xandr, PixFuture, and SmileWanted. The disclosed ad partners and the served ad partners do not match. The yowgames cluster monetizes through Google ad products as well, via a different integration. Live retrieval of yowgames[.]com and owhit[.]com is blocked by a Cloudflare bot wall from our vantage, so we examined archived copies (Wayback Machine). Both homepages embed Google AdSense and googlesyndication.com directly, each under its own publisher ID (ca-pub-2685573472598175 for yowgames[.]com, ca-pub-6596604135510481 for owhit[.]com) and its own Google Analytics 4 property (G-YJWVP0Q1KW and G-6V3WECV225), and both privacy policies reuse the same DoubleClick DART, Google Analytics, and third-party-advertising boilerplate as tabplugins[.]com, rebranded per domain. All three brands are therefore ad-monetized destinations running Google ad products, each under its own ad and analytics accounts. tabplugins[.]com is the only brand serving the Advergic\u002Favads stack rather than direct AdSense: its av-tabplugins.js bundle is live, while av-yowgames.js, av-owhit.js, and av-chromewallpaper.js return \"Script not found.\" Excerpts from the live av-tabplugins.js bundle showing the Google Ad Manager network code, the Advergic header-bidding account ID, and the full-screen interstitial ad slot served on the funnel page. One brand name in the family is a dead end. walltab[.]com, which appears on one publisher account, is a parked HugeDomains \"for sale\" listing rather than operator infrastructure, and is excluded from the network cluster. Attribution # This is a financially motivated commercial adware and traffic-attribution-fraud affiliate operation, run by one or more small freelance teams. We cannot tie this operation to a specific country with confidence. The available signals are circumstantial and point loosely toward Turkey, but none of them is proof. The strongest sits on owhit[.]com, whose contact page lists \"Saniye Yıldız\" with the addresses yahyagazi06@gmail[.]com and support@owhit[.]com. \"Saniye Yıldız\" is a Turkish name and the \"06\" suffix matches the Ankara area code, which is consistent with the Turkish-reading publisher contact emails ferhatbadem831@gmail[.]com and keremsopar@gmail[.]com on the yowgames-cluster listings. This is the publicly listed operator contact, not a verified person, and it may be a pseudonym. No GitHub, freelance-marketplace, or social-media portfolio links the publisher handles to each other or to a real identity, and we found no prior public reporting on these domains or handles. The Turkey reads are possibilities to investigate, not attribution we can stand behind. The False Privacy Disclosure # The clearest and most defensible policy violation is the contradiction between the Chrome Web Store privacy disclosure and the operator's own privacy policy, which is linked from the same listings. On the Chrome Web Store, the Privacy practices tab for these listings states that \"The developer has disclosed that it will not collect or use your data,\" that data is \"Not being sold to third parties,\" and that data is \"Not being used or transferred for purposes unrelated to the item's core functionality.\" The Chrome Web Store \"Privacy\" panel for \"Neymar - Football Live Wallpaper\" declares that the developer will not collect or use user data. The privacy policy at tabplugins[.]com\u002Fprivacy-policy, linked from those same listings, states the opposite. It says the operator's log files \"log visitors when they visit websites or use our extension\" and that the information collected \"include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring\u002Fexit pages, and possibly the number of clicks.\" It further states that the operator collects \"your IP address, your browser type and language, access times, the content of any undeleted cookies ... software installed upon and\u002For devices connected to your computer and\u002For device, and the referring website address,\" describes \"tracking user's movement on the website and extension,\" and names Google AdSense, Google DoubleClick DART cookies, Google Analytics, and unnamed third-party advertising partners using cookies and web beacons. A listing cannot truthfully claim \"will not collect or use your data\" while its own linked privacy policy admits extension-side logging of IP, ISP, click counts, and referrers feeding multiple ad networks. The install and uninstall telemetry corroborate that the extensions do phone home. This is not a gray area under Chrome Web Store policy. Google's program policies require that \"All information provided in the privacy fields of your extension must be up to date and accurate,\" and state plainly that \"if the information listed in your privacy fields contradicts the information provided in your privacy policy, or the behavior of your extension, your extensions may be removed from the Store.\" Google further warns that \"any discrepancies between the developer dashboard disclosures, your privacy policy, and the behavior of your item would be a violation of the Chrome Web Store developer program policies,\" and that this \"can result in the suspension of all the items owned by the publisher, deactivation of the existing user-base, and ban of the entire publisher entity (including related accounts).\" The contradiction documented here is exactly that three-way mismatch between the dashboard disclosure, the linked privacy policy, and the observed phone-home behavior, and it is not confined to the two samples: the identical \"will not collect or use your data\" disclosure appears on all 141 live listings we resolved, every one of which links the same privacy policy that admits the logging. Impact # An affected user is enrolled in deceptive traffic measurement and undisclosed telemetry. Specifically: The user's install and uninstall events are reported to the operator, and per the operator's own privacy policy this is associated with IP, ISP, referrer, and click data and shared with Google AdSense, DoubleClick, Analytics, and third-party ad partners. The operator presents extension-driven visits to advertisers and affiliates as Google organic search traffic, by way of the forged utm tags and the cloaked google.com\u002Furl redirect. Saved shortcut domains leak to Google through the favicon requests on every new tab. Every install ships an undisclosed anti-forensic IndexedDB wipe that runs on each service-worker start. The privacy policy linked from the same listing admits the extension logs IP address, ISP, and click data and feeds Google AdSense, contradicting the store disclosure above. The exposure is the family's full install base, on the order of 100,000 users. The harm is privacy and measurement integrity. Outlook and Recommendations # For Users Remove any new-tab \"live wallpaper\" extension sourced from tabplugins[.]com, yowgames[.]com, or chromewallpaper[.]com. Treat a listing that requests the search permission and overrides your new tab as something to scrutinize, and read the Privacy practices tab against the linked privacy policy before installing. After removing a new-tab override, confirm Chrome's new tab and default search engine are restored to your preference. For Developers Make sure your store Privacy practices disclosure matches your published privacy policy exactly. Never fabricate utm attribution or reuse Google's signed ved\u002Fusg redirect tokens to disguise your own traffic. Do not ship unexplained anti-forensic boilerplate, such as an indiscriminate IndexedDB wipe, into a product: even when it deletes nothing in the current build, it is undisclosed behavior with no legitimate purpose and it will and should draw scrutiny. For Security Teams Hunt for the family fingerprint rather than individual IDs, since the family is mass-produced and IDs rotate. Reliable signals are the literal console string Deleted IndexedDB database: in an extension service worker, an indexedDB.databases() enumerate-and-delete loop in a bg.js, a setUninstallURL pointed at a google.com\u002Furl wrapper, and an onInstalled handler that opens a tab carrying utm_source=google&utm_medium=organic. Block the brand domains (tabplugins[.]com, yowgames[.]com, chromewallpaper[.]com, and the chromewallpaper redirect target owhit[.]com) and alert on new-tab override extensions that request the search permission and originate from them. Socket's Chrome extension protection analyzes extension bundles for hidden data flows, undisclosed credential exfiltration, and C2 backdoors, blocking malicious extensions before they reach user endpoints. MITRE ATT&CK # T1176.001 Browser Extensions T1036 Masquerading T1070 Indicator Removal T1071.001 Application Layer Protocol: Web Protocols T1583.001 Acquire Infrastructure: Domains # Threat Actor Developer Accounts ZainAhamed1994 shuek gamingify009 epicart asif44 AW_Ext ibrkha deckapp.dev tabplugins.com netd.soft ExtNext WallExt hirakiranpk yowgames.com wallpaperbg Wallpaperguru Vivid Visuals wallfunlive yowtheme livewallpaperhd livewall TabTab NewTech 4klivechrome backgrounds max1 nermincandas themevisual themesbrowser liveyow walltab livemotion Aurora Themes OneExt Wallpaper Factory motionlive HeroEXT chrometheme Threat Actor Email Addresses hirakiranpk@gmail[.]com hussnain1122akram@gmail[.]com ferhatbadem831@gmail[.]com keremsopar@gmail[.]com yahyagazi06@gmail[.]com support@owhit[.]com info@walltab[.]com Network Indicators tabplugins[.]com (Hostinger origin IPs 147[.]79[.]120[.]202, 92[.]112[.]198[.]22; Cloudflare name servers fatima[.]ns[.]cloudflare[.]com, ned[.]ns[.]cloudflare[.]com) yowgames[.]com (Cloudflare name servers journey[.]ns[.]cloudflare[.]com, tim[.]ns[.]cloudflare[.]com) chromewallpaper[.]com (HTTP 301 redirect to owhit[.]com; same Cloudflare name-server pair as yowgames) owhit[.]com (chromewallpaper redirect target; same Cloudflare name-server pair as yowgames) Infrastructure and Monetization Indicators Ad bundle URL pattern: avads[.]live\u002Fs\u002Fav- .js (confirmed serving for av-tabplugins.js) Google Ad Manager network code (tabplugins[.]com): 23301900962,23324153939 Advergic Prebid account ID: yiF3ZLZK Google AdSense publisher IDs: ca-pub-2685573472598175 (yowgames[.]com), ca-pub-6596604135510481 (owhit[.]com) Google Analytics 4 properties: G-906NQ2GLXR (tabplugins[.]com), G-YJWVP0Q1KW (yowgames[.]com), G-6V3WECV225 (owhit[.]com) Chrome Extension IDs laafpeklcnlfmjaofbndehkjpnccbhek Neymar - Football Live Wallpaper mnpacdigbockiilmilhbedciadenfdnb Satoru Gojo Manga Live Wallpaper iedplnnolciaofkakkjmcojnmklpfikg Porsche 911 - Sports Car Live Wallpaper (dead service worker) ipiabbhciknabpoihaakdahgghllelpj Satoru Gojo Live Wallpaper hijpkhinofkdobfagfbobnnoihmopgkk Hello Kitty Wallpapers HD New Tab famchdjojcnakamhkddkpaglnkonkfnl Pusheen Cat Wallpapers HD New Tab nomekamioepglinefhenifnbegjhfiai Peach & Goma Wallpapers HD New Tab jjngbcodoldjmpjpfbhfelaljbdlkekh Spider-Man Miles Morales Swing Live Wallpaper gfikbhpfjldbbikolkcimfgmejhdkjbe BMW M3 Neon Night Drive Live Wallpaper dbiamdajndfmpmmeklcbbnekhkdcakhf BMW Wallpapers pkdloppfapenphihgbldhjjlfhgnkmcg Death Note Anime Wallpapers HD New Tab imkepemaflommlonnppjobgdpokbfmoj Sonic Frontiers Starfall Live Wallpaper ibglidkppckhminbhbgcajomjplomcka Tanjiro - Demon Slayer Live Wallpaper gkbfokaephnaajnmpgiieidpfieamggb Neymar New Tab Wallpaper bcafgkhoifffmnoajkgmbhcojpabjffm Anime Car Drift Live Wallpaper ojeaociifmdciibodcifjjocdlbjjeep Choso Wallpapers New Tab npcghghfkbpgiamoifabankdnmopenni Anime Rain Live Wallpaper mjdhgndjbajnanfimjipafechjbakdhh Minecraft Sakura Pond Live Wallpaper lblgjffllphdepifdkfhlihddckhlkll Straw Hat Live Wallpaper Ghost of Tsushima laeciedchhnmnfhllplcgkfcdbdfgdhn Zenitsu Agatsuma Live Wallpaper jhnpoiikhnkjlfcffohfbkejnoojcopc Lamine Yamal Wallpapers HD Football ijbpegpcaiencppbgaldjflmllhhdfog FNAF Live Wallpaper icajjcahmgdpeilkbjbelkoinhonbaeb Ryomen Sukuna Sorcerer Live Wallpaper hichkepmmfdhhnagoejglmkdebinkcca Pochacco Live Wallpaper hfignegjmgkcmeipgbdpaihpbnjdkgbm Messi Wallpapers HD Football gfmgoodobmpmhoilhblgkocaehlkopod Kuromi Love Live Wallpaper geceobkknhgcbgnegnagckpnmfdfcppk Eren Yeager Live Wallpaper dnehmmlaljfhkdfekfbpljalkljgpmkj Black Clover New Tab Wallpaper dncncgaaalajgbijnalajojmmdmbdeci Jon Snow Wolf Live Wallpaper dmjbglakodlaodocplnbmhpdhngllhoe Kuromi Wallpapers HD New Tab djfpdmpoladfinglebbgkpcbiifhpmed Cinnamoroll Wallpapers HD New Tab decnpcihddaibncfimicaidmhmhfgpjb Hello Kitty Friends Live Wallpaper ahfhmnlfmhmnifjeejhcbaffgemmkoib Sung Jinwoo - Solo Leveling Live Wallpaper iccpkfpgkhinigpcaldpldkjpihcngin Corocoro Coronya Live Wallpaper cckipipbgopgoljcdhlfgcfcdkkonfbh Hollow Knight Silksong Live Wallpaper ocdgeajebolgofbpnlahdipclagnibpm Call of Duty Ghost Live Wallpaper gecgngeaifpeokmajbhcmdahkkfhpgic Itachi Uchiha Live Wallpaper jobeagkmmpfpepbabognchgecbehljag Hello Kitty Live Wallpaper Sanrio kfnbcjbhjiopgnlmigcigiooenpkkaib Minions Wallpapers New Tab nhdniddeikmpbapjcmcoaglhgepfmopb Nissan Skyline R34 Live Wallpaper ahheiepjhohjjdmbafjjhckninnlehlf Ferrari F1 Car Live Wallpaper adjkkoailfaklaipddajkpncbocgammd Real Madrid Emblem Live Wallpaper iingfcnnoibkdojcnfahhflafimjikce Dante Devil May Cry Live Wallpaper gelkonncfnniglodoncdmgcijikjdflg Labubi Live Wallpaper glmagbbbkofdibipgefimkdfbppgodee Chiikawa Wallpapers New Tab aeaaddfnednkbjbijieienagdilibjmo Ghost Modern Warfare Live Wallpaper jlnmbimmmnmejkjgaedggiignfciekim Kimetsu no Yaiba Wallpapers New Tab dbkhkbbjngadephedgpahlhomddaecef Miyamoto Musashi Live Wallpaper nmhgpefjpocdfcjenmecbnngbjbbcelp Kuromi Live Wallpaper bhefdfhbjonfechcjphjekhkdpaoddlo Ken Kaneki Tokyo Ghoul Live Wallpaper afblbdldehhbfnkjaekojkkinfcdkjgn Naruto - Kakashi Hatake Live Wallpaper mhekafflbaidbfikbjhdfioajiahflpg Astronaut Grok Black Hole Live Wallpaper nhjhcfdgfphedllolofcipdnjkjdihdj Hornet Hollow Knight Live Wallpaper phbankjceijddhfhcobljkjlcgmbfpoa Invincible Sky Flight Live Wallpaper npdbhfkphakcnjingllikjfclgabjipd Powerpuff Girls Live Wallpaper jbkmnkhkobkaegbhbeimoclnljmpknng Goku & Shenron Live Wallpaper afcjbeaomliemmngehinaekimohojokc Malenia - Elden Ring Live Wallpaper kbbpcmlmpdbipcmkhmbnipjkpnfijnda Hashibira Inosuke and Zenitsu Live Wallpaper begnlejfcmkjblajjeafpebgcbcojhin Kratos Live Wallpaper iipphhlmjmblpialebokpdpbnadodkbi Goku Rain Flame Live Wallpaper bilaomondbfgpbokppljiindmfnackcj Black Nissan GTR Rainy Night Live Wallpaper nppgecbeafccpgnhjjdlhpojicfjjblo My Hero Academia Wallpapers New Tab agfppecmpkdhfbilkkhonedjnjfnmimg Dipper & Mabel's Adventures Live Wallpaper iincgojokhoknbhgjaljpihfegfpbjih Haikyuu Kenma Kozume Live Wallpaper hdhcdlpopaiajpcmpnednmohdnfdmclp My Melody Wallpapers New Tab ajmhcjfgeahcaccefbkmacaljjangjmc Gojo Blue Eyes Live Wallpaper pcokalkebdbbfpkcgejbpkjhliahlppa Berserker Armor Live Wallpaper eiencjmoddignmjiapafelkfgfmedppl Bumblebee Live Wallpaper agplicjllogkjijnddgfjincdaagkbno Lamine Yamal Galaxy Live Wallpaper hpgfgaaaageiokfojfajdgjkkbadofjo Arsenal FC Flag Live Wallpaper hneachchlcnnfkhdiepdpoojodpjlanp Rengoku Wallpapers New Tab pblgphhmhlnhfkeldhflcefpckgnalmf Kaonashi Live Wallpaper ggpncchenfmambejcehgjadnedckijaf Berserker Dark Armor Live Wallpaper lmaaoejgcoaieeddmdpjpmhmbpepnckf Haikyuu Wallpapers New Tab kmeneimgonibpggfkjihdghpaioikppd Gojo Reversal Red Live Wallpaper alhilbblgdfkklanmfkbjmhapagpneng Gachiakuta Wallpapers New Tab gjaahnaaehopcpdhgpjddonmkgffpmji Tiger Live Wallpaper dmeipihagdngmblfpfinkagindgfbmpo Purple Sakura Live Wallpaper bfdcbjeogfmagcoeihgbggacohalmffm Guts Beast of Darkness Live Wallpaper calbnkamaibciogbicgbgpocigocaofh Berserk Wallpapers New Tab ccbmjnepfjepehocnhdnddmaljhecjid Dr. Stone Wallpapers New Tab bdopholihfepohbcaifahepojljpihfb Anime Boy Wallpapers New Tab onfjapdgahmnajmbkacmifpciokicbkd Manchester United Flag Live Wallpaper iggbnejemgjglnmkfjipacpfnbblkhgc BMW M4 Wallpapers New Tab iagkmpcgnlcdabaheobkeffadmffoolm Ace Smile One Piece Live Wallpaper gjlebhdhmjiahfcefjanmjcipihapcob Lone Samurai Live Wallpaper cdokinnfpnmkkieepnnncahhgjkbnfip Porsche 911 Wallpapers New Tab bbggeccdbfplmmpdbjgmkkaofbjncnkc Minecraft Creeper Live Wallpaper pcadkpnfmffnldeidifelohmkebdddjn Autumn Lamborghini Live Wallpaper bifidmiaihofppodiocakodjjniiodcc Minato & Naruto Live Wallpaper dlfjpodlhgogdiokffnejehokghbdgca Hitsugaya Toshiro Live Wallpaper efdcnjhnhbnbcclppmfdgppjndkjince Nissan GTR Wallpapers New Tab pfoehpcdijnjnlbeekjpndlfengadhba Boruto Uzumaki Live Wallpaper loonegbofnbcimpgbhnhlmhgfaidodbf Bart Simpson Live Wallpaper gmcfalbhfnhpgffchgogpnlmdgalbeml Audi RS Wallpapers New Tab jlkogclddcocddkbgleneedobmfcflji Keroppi Wallpapers New Tab nlllgkfjdekpcibpgakffbdlgbbbfnkl GTA 6 Wallpapers New Tab feamnjpoiogkfkiihejgjlofhblfbebf Deadpool Live Wallpaper obpcedpondgemjpohgikkooejmnbkpnd Minecraft Sword Live Wallpaper aadfnjeeifjafcgmfdjacmllmokcalcc Chelsea FC Live Wallpaper lbjopcoldneclmibpaomiencfonnlghk Rengoku Live Wallpaper Demon Slayer pcolhdbpdenlnpdhbcodnfebjkbgidaf Sasuke Uchiha Wallpapers New Tab ccbogfjhjlbclkgglnmdjommgndhaack Pokemon Wallpapers New Tab ajhpfcgpnkmokhpkchoonflmbemhcece Mercedes-AMG Wallpapers New Tab dcfplngdkjdeadfbnnklpnfpannnbjpk Puss in Boots Live Wallpaper nplcbealebpofbdcgajeddfidbgbogao Honda CBR1000RR-R Live Wallpaper nolehnmgjhncihbcganldhggmlbjplin Saitama Live Wallpaper - One Punch Man ilicobgjklfepgokldofhpdolhkminom Lamborghini Autumn Live Wallpaper ocieoagpcmmebfhhgakmlijmdnifbcag Angry Birds Wallpapers New Tab dhlkhbfacnmldfohkfchjgkhkfolgapg Ducati Wallpapers New Tab iglemaflhcmkkepecnoibopljmocgmld Attack on Titan Wallpapers New Tab eibdnpjboejipjmbkodlbcjlmdjikpjf Porsche 911 Turbo Live Wallpaper noabkafiljbjmpbfafppbfclccikkafl Pink Hello Kitty Live Wallpaper inkcephcpbbfnikbgdklmnpjgbanginn Chibi Anime Wallpapers New Tab dfcklcdpnbecfbjipopoeigjipfmnmle Lionel Messi Power Live Wallpaper ieildpjdcdcakalhlckdlfcejfddgdcj Brook Live Wallpaper - One Piece eoilhlidnimmdpafpgiehnmeoedjagge Rick and Morty Wallpapers New Tab edmogjhhhoikmgdchmfgmdfnajnfpopf Denji Wallpapers New Tab fjeahbfapbkbpaeijlhjokafegcgakmm Mercedes-Benz E-Class Wallpapers New Tab bdjlclmlpcdhiclbimfhhgpgilbeboof Harley Davidson Wallpapers New Tab odkhdfbfgaogiiilllhhgaflifcppnge Mickey Mouse Wallpapers New Tab jcnjcmfpmcdhkhloilpalealdbofanko Lamborghini Urus Wallpapers New Tab nkpdoonhinmfijbgjhhehhoojicoagdi Baki Hanma Wallpapers New Tab hfnikhbgpncbgfjnnccinpbijbaekaon Fallout Vault Boy Live Wallpaper njgifpepampdppjhncejlkkbmnigpcdl Mob Psycho 100 Wallpapers New Tab cnnafooohihkcoenaemoplnapabpmaak Ghost of Yotei Live Wallpaper gjjpikdggjehfjlpgndjhjdnljenndig BMW 8 Series Wallpapers New Tab celcpebbklhbkakkmaiagcgdbfamcggo Guts Wallpapers New Tab (dead service worker) fnjofkjppepnhofinhhiobdigngbfaig Hunter x Hunter Wallpapers New Tab gpjofbomakaiicnnomapefkleamhphle PUBG Wallpapers New Tab nphllmhkkoiaelncflmenjabjcdhplje Aggretsuko Live Wallpaper lhhoicpajfbijboekonjnedpicpdijfe Dark Anime Wallpapers New Tab bipegidgofcllkbegbgeeoeodlglohof Naruto Live Wallpaper - Uzumaki Hokage goadfckeiedppmgdhbaceoiffbppkknf Care Bears Wallpapers New Tab gjpinhcpfmeokkonngflhkolacglkpmh Doom Rampage Live Wallpaper jfbalacimgcefdnniabmbejpgnhdhgng Izuku Midoriya Wallpapers New Tab jpmhndngfnbfdpgdbombckddiflphpao Cristiano Ronaldo Golden Live Wallpaper ojlbdnmdbhjgkljldaogkoabhabjoadg Gintoki Sakata Wallpapers New Tab (dead service worker) efhapddipneibbpcjogidfhbhhhlifdn Katsuki Bakugo Wallpapers New Tab joklccphgbkamedfgoeidmlcgjpdnlgj Kaiju No. 8 Wallpapers New Tab plbebfjeklpfmffhcknkhbbdpjfkoenc Animal Crossing - Dōbutsu no Mori Live Wallpaper jdjkbjmobobfehaohkkbenbnnaaocabc (delisted) imfibcedgmmmdikffoeipdnojhgbhjob (delisted) dljjhjgmkimljkfjboioacmepefoedlh (delisted) ijgfnklhknbjfjjbacefdgpjbkjdkfoc (delisted) ooiaicknajbjkknpnfchbgcdhmfligaj (delisted) objpdomhddblhffemlhmefbpelblakgn (delisted) kaihdoeelgmhphjindgnehgiekjeleip (delisted) dlppampnbpddlmkecbbgkgkhamchmfle (delisted) gnlmghadjomllhknpmaglmmkbabifaal (delisted) ljblneelmbapgfcbmphbnnkdofmnldjp (delisted) gdeeoecplcaghjdbpfiddgemdgdmnpbo (delisted)","A family of 152 Chrome 'live wallpaper' extensions, built from a single codebase but distributed across 38 publisher accounts, have been found to log user data and share it with ad partners, despite claiming otherwise in their store listings. A subset of these extensions also faked Google search traffic attribution to inflate website popularity and trust, a deceptive practice that pollutes analytics data for websites, ad networks, and Google itself. The extensions are described as adware-adjacent potentially unwanted programs (PUPs) with concrete harms including deceptive traffic measurement, undisclosed telemetry, and false privacy disclosures, affecting an estimated 100,000 users.","152 Chrome wallpaper extensions hid ad tracking and faked Google search traffic.","Security Newsnpm Tooling Bug Incorrectly Marks One-Character Packages as Security Holdersnpm confirmed a tooling bug incorrectly marked several one-character packages as security holders and said it was working on a rollback.By Sarah Gooding - Jun 09, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002F152-chrome-live-wallpaper-extensions-hid-ad-tracking?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F080959dd72f8c34a8d167aabb1811987c79dd98b-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-06-12T22:48:59.354+00:00","2026-06-13T02:00:23.464007+00:00",8,[18,21,23,26,28,30],{"name":19,"type":20},"Chrome Live Wallpaper Extensions","product",{"name":22,"type":20},"Chrome Web Store",{"name":24,"type":25},"Google AdSense","technology",{"name":27,"type":25},"DoubleClick",{"name":29,"type":25},"Google Analytics 4",{"name":31,"type":25},"IndexedDB","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":32,"icon":34,"name":35,"slug":36},null,"Malware","malware",[38,43,45],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":44},{"id":32,"icon":34,"name":35,"slug":36},{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[51,55,58,61,64,68,71,75,77,80,82,85,88,91,95,98,101,104],{"type":52,"value":53,"context":54},"domain","tabplugins.com","Backend domain for 109 extensions, associated with forged Google attribution and cloaked uninstall redirects.",{"type":52,"value":56,"context":57},"yowgames.com","Backend domain for 19 extensions, shipping core functionality without forged Google attribution.",{"type":52,"value":59,"context":60},"chromewallpaper.com","Backend domain for 13 extensions, redirects to owhit.com.",{"type":52,"value":62,"context":63},"owhit.com","Redirect target for chromewallpaper.com, associated with operator contact information.",{"type":65,"value":66,"context":67},"url","https:\u002F\u002Ftabplugins.com\u002Ftanjiro-demon-slayer-live-wallpaper\u002F?utm_source=google&utm_medium=organic&utm_campaign=tanjiro-demon-slayer-live-wallpaper","Example install URL with fabricated Google organic search attribution.",{"type":65,"value":69,"context":70},"https:\u002F\u002Fwww.google.com\u002Furl?sa=t&source=web&rct=j&opi=89978449&url=https:\u002F\u002Ftabplugins.com\u002Flive-wallpaper\u002F&ved=2ahUKEwigjZv3_sqUAxWaTKQEHVVYOFUQFnoECB4QAQ&usg=AOvVaw3S1cD8TWcvQUivIwcBGtSp","Example uninstall URL wrapped in a fake Google search-result click.",{"type":72,"value":73,"context":74},"email","hirakiranpk@gmail.com","Publisher account contact email.",{"type":72,"value":76,"context":74},"hussnain1122akram@gmail.com",{"type":72,"value":78,"context":79},"ferhatbadem831@gmail.com","Publisher account contact email, potentially linked to Turkey.",{"type":72,"value":81,"context":79},"keremsopar@gmail.com",{"type":72,"value":83,"context":84},"yahyagazi06@gmail.com","Operator contact email, potentially linked to Turkey.",{"type":72,"value":86,"context":87},"support@owhit.com","Operator contact email.",{"type":65,"value":89,"context":90},"https:\u002F\u002Favads[.]live\u002Fs\u002Fav-tabplugins.js","Ad bundle URL serving for the tabplugins.com cluster.",{"type":92,"value":93,"context":94},"mitre_attack","T1176.001","Browser Extensions",{"type":92,"value":96,"context":97},"T1036","Masquerading",{"type":92,"value":99,"context":100},"T1070","Indicator Removal",{"type":92,"value":102,"context":103},"T1071.001","Application Layer Protocol: Web Protocols",{"type":92,"value":105,"context":106},"T1583.001","Acquire Infrastructure: Domains"]