alt Hacker NewsMy point was to have a community effort around it as well if possible and people could say, upload suspicion and people could then confirm it?
I am curious but wouldn't this effort be more better if more people outside who are interested in investing their own resources for the safety of a better internet could help you out in such endeavour? So essentially they can also help you out in such task essentially creating an open source-ish committee/list which can decide it.
I do feel like if resources are something in short, then actually doing such would be even more beneficial, right? What are your thoughts on it?
(Tangent if you actually do this: This might become a cat and mouse game if the person with malicious extension say reads the github repo and if they see their extension in it before people can conclude its malicious, making the cat and mouse game but I am imagining a github action which can calculate the hash and download link and everything (essentially archiving) a state of extension and then people can get freed from the game and everything as well. So this might help a lot in future if you actually implement it)
It is a noble idea to have a community driven effort in security research. We are sceptical that would work. The same way security researchers will read this thread in future bad actors (e.g. Similarweb) can read as well.
Any tool that would be open sourced or community driven for extension scanning will be with enough time used by bad actors to evade the scans. That is also why we don't share the code for this research as it would only speed up this process.