Proton VPN

Proton VPN

ID: mlndifgbehammhhbecgfcpbcbmnfhooe

Supported Languages

🇷🇺Russian

Extension Info & Metadata

Status
Active
Version
1.0.0
Size
0.02 MB
Rating
5.0/5
Reviews
6
Users
477
Type
Extension
Updated
Jun 14, 2026
Category
Privacy & security
Price
Free
Featured
No
Visibility
Listed
Mature
No
By Google
No
Trusted
No

Publisher Contextual Analysis

MX records exist
Yes
Domain exists
Yes
Is disposable
No
Is role-based
No
Mailbox exists
Yes
Total Extensions
26
Active
18
Obsolete
8
Listed
26
Unlisted
0
Total Users
3,099
Screenshot 1

Стабильное VPN-соединение для ежедневного использования

Item
Type
Severity
Description
proxy
Permission
Critical
This permission allows the extension to control the browser's proxy settings. Rated Critical because it can route all traffic through potentially malicious proxies, enabling man-in-the-middle attacks and traffic monitoring.

The extension uses the trademarked name 'Proton VPN' in its manifest to impersonate Proton AG's legitimate ProtonVPN service, while the actual author is 'Сова Team' and the homepage points to neoncloak.space — a completely unrelated entity. Users who install this believing it is ProtonVPN are deceived into trusting an unknown third party with all their browser traffic. This is deliberate brand impersonation designed to exploit ProtonVPN's reputation for privacy and security.

manifest.json (Line 1)
{  "manifest_version": 3,  "name": "Proton VPN",  "version": "1.0.0",  "description": "Стабильное VPN-соединение для ежедневного использования",  "author": "Сова Team",  "homepage_url": "https://neoncloak.space/",  "permissions": [    "proxy"  ]}

All browser traffic is silently routed through SOCKS5 proxies at neoncloak.space subdomains and hard-coded IP addresses on port 1082 — infrastructure controlled by Сова Team / myxavpn.pro, not by Proton AG. Users deceived by the 'Proton VPN' branding believe their traffic is protected by ProtonVPN's trusted infrastructure, but it is actually passing through an unknown third-party's servers. This gives the proxy operator full visibility into all traffic destinations and timing metadata for every site the user visits.

worker.js (Line 171)
function engageTunnel(nodeId) {  const node = SERVERS.find(function(s) {    return s.id === nodeId;  });  if (!node) return false;  const config = {    mode: "fixed_servers",    rules: {      singleProxy: {        scheme: "socks5",        host: node.host,        port: node.port      },      bypassList: BYPASS_LIST    }  };  chrome.proxy.settings.set({    value: config,    scope: "regular"  }, function() {    relayActive = true;    chosenNode = nodeId;  });  return true;}

The premium upsell URLs lead to app.myxavpn.pro (a completely different VPN service, 'Myxa VPN') and a Telegram bot, not to any Proton AG property. The referral parameter (ref=c71048ff-...) confirms this is an affiliate/reseller scheme monetising users who were deceived into installing what they believed was the legitimate ProtonVPN extension. This confirms the impersonation is deliberate and financially motivated.

core.js (Line 195)
var PREMIUM_URL = "https://app.myxavpn.pro/auth?ref=c71048ff-fbad-45ff-b166-caebf8415633";var TG_BOT_URL = "https://t.me/myxavpn_bot?start=c71048ff-fbad-45ff-b166-caebf8415633";var SITE_FALLBACK_URL = "https://app.myxavpn.pro/auth?ref=c71048ff-fbad-45ff-b166-caebf8415633";

By severity

Critical2
High1
Medium0
Low0

Versions scanned

Showing 1 of 1 scanned version with more than one unique finding. Counts are unique findings that include each version.

Extension VersionCode Review Findings
1.0.03

Files with findings

3 distinct paths — top paths by unique finding count:

  • core.js1
  • manifest.json1
  • worker.js1
S.No.
Category
Severity
File
Summary
Found in Version
1Network Interception
critical
worker.js (line 171)All browser traffic is silently routed through SOCKS5 proxies at neoncloak.space subdomains and hard-coded IP addresses on port 1082 — infrastructure controlled by Сова Team / myxavpn.pro, not by Proton AG. Users dece…
2Phishing
critical
manifest.json (line 1)The extension uses the trademarked name 'Proton VPN' in its manifest to impersonate Proton AG's legitimate ProtonVPN service, while the actual author is 'Сова Team' and the homepage points to neoncloak.space — a compl…
3Phishing
high
core.js (line 195)The premium upsell URLs lead to app.myxavpn.pro (a completely different VPN service, 'Myxa VPN') and a Telegram bot, not to any Proton AG property. The referral parameter (ref=c71048ff-...) confirms this is an affilia…
URLs
4
IPv4
16
IPv6
0

URLs

View the external URLs this extension communicates with to understand its network activity and data interactions.

Gain full insight into all external connections.

Upgrade for full visibility.

app.myxavpn.pro/authhttps://app.myxavpn.pro/auth?ref=c71048ff-fbad-45ff-b166-caebf8415633
t.me/myxavpn_bothttps://t.me/myxavpn_bot?start=c71048ff-fbad-45ff-b166-caebf8415633
www.w3.org/2000/svghttp://www.w3.org/2000/svg
neoncloak.space-https://neoncloak.space/

Gain full insight into all external connections.

Upgrade for full visibility.

103.35.189.225
IPv4
-
103.35.191.173
IPv4
-
178.130.47.129
IPv4
-
80.92.204.33
IPv4
-
80.92.204.47
IPv4
-
185.252.215.98
IPv4
-
185.252.215.97
IPv4
-
5.180.30.122
IPv4
-
5.180.30.15
IPv4
-
86.104.74.110
IPv4
-
94.131.118.237
IPv4
-
94.131.118.39
IPv4
-
194.150.220.163
IPv4
-
45.89.110.227
IPv4
-
80.92.206.84
IPv4
-
127.0.0.1
IPv4
-
Showing 1 to 16 of 20 rows
Rows per page:
Version
Size
Is Malicious
Findings
Permhash
1.0.0
Latest
0.02 MB
Malicious
3
Showing 1 to 1 of 10 rows
Rows per page:

Browse and explore files within this extension package

Gain full insight into all external connections.

Upgrade for full visibility.