Security Alert: Critical Security Risk
Proton VPN
ID: mlndifgbehammhhbecgfcpbcbmnfhooe
Supported Languages
Extension Info & Metadata
Publisher Contextual Analysis
- Privacy
- Privacy Policy
- MX records exist
- Yes
- Domain exists
- Yes
- Is disposable
- No
- Is role-based
- No
- Mailbox exists
- Yes
Стабильное VPN-соединение для ежедневного использования
The extension uses the trademarked name 'Proton VPN' in its manifest to impersonate Proton AG's legitimate ProtonVPN service, while the actual author is 'Сова Team' and the homepage points to neoncloak.space — a completely unrelated entity. Users who install this believing it is ProtonVPN are deceived into trusting an unknown third party with all their browser traffic. This is deliberate brand impersonation designed to exploit ProtonVPN's reputation for privacy and security.
{ "manifest_version": 3, "name": "Proton VPN", "version": "1.0.0", "description": "Стабильное VPN-соединение для ежедневного использования", "author": "Сова Team", "homepage_url": "https://neoncloak.space/", "permissions": [ "proxy" ]}All browser traffic is silently routed through SOCKS5 proxies at neoncloak.space subdomains and hard-coded IP addresses on port 1082 — infrastructure controlled by Сова Team / myxavpn.pro, not by Proton AG. Users deceived by the 'Proton VPN' branding believe their traffic is protected by ProtonVPN's trusted infrastructure, but it is actually passing through an unknown third-party's servers. This gives the proxy operator full visibility into all traffic destinations and timing metadata for every site the user visits.
function engageTunnel(nodeId) { const node = SERVERS.find(function(s) { return s.id === nodeId; }); if (!node) return false; const config = { mode: "fixed_servers", rules: { singleProxy: { scheme: "socks5", host: node.host, port: node.port }, bypassList: BYPASS_LIST } }; chrome.proxy.settings.set({ value: config, scope: "regular" }, function() { relayActive = true; chosenNode = nodeId; }); return true;}The premium upsell URLs lead to app.myxavpn.pro (a completely different VPN service, 'Myxa VPN') and a Telegram bot, not to any Proton AG property. The referral parameter (ref=c71048ff-...) confirms this is an affiliate/reseller scheme monetising users who were deceived into installing what they believed was the legitimate ProtonVPN extension. This confirms the impersonation is deliberate and financially motivated.
var PREMIUM_URL = "https://app.myxavpn.pro/auth?ref=c71048ff-fbad-45ff-b166-caebf8415633";var TG_BOT_URL = "https://t.me/myxavpn_bot?start=c71048ff-fbad-45ff-b166-caebf8415633";var SITE_FALLBACK_URL = "https://app.myxavpn.pro/auth?ref=c71048ff-fbad-45ff-b166-caebf8415633";By severity
Versions scanned
Showing 1 of 1 scanned version with more than one unique finding. Counts are unique findings that include each version.
| Extension Version | Code Review Findings |
|---|---|
| 1.0.0 | 3 |
Files with findings
3 distinct paths — top paths by unique finding count:
- core.js1
- manifest.json1
- worker.js1
URLs
View the external URLs this extension communicates with to understand its network activity and data interactions.
Gain full insight into all external connections.
Upgrade for full visibility.
Gain full insight into all external connections.
Upgrade for full visibility.
Browse and explore files within this extension package
Gain full insight into all external connections.
Upgrade for full visibility.
