Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
A forged Yahoo Axis chrome extension
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Yahoo Axis Forged Package

Yahoo! accidentally included their private certificate file inside the Axis Chrome extension


This project is a test package signed using the certificate. Source is in src a test build signed with the cert is in build.

The original package is in original_build and the unpacked original source is in original_src

The spoofed package has the exact same source except it adds a content script.


To test install the package click on the raw link:

All that it does is trigger a javascript alert on every page load on every site/domain. It does this via an added content script.


In this repo


Working that out now. I think that if you can DNS hijack the update URL a forged package would update and install silently.


I have published a blog post about this issue. Updates and responses will be posted there.

Follow latest on my Twitter at @nikcub

Something went wrong with that request. Please try again.