Is "HubMerge" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 85% confidence.

Recommended action: suppress false positive.
Risk context: HIGH risk, score 68/100.
Evidence context: threat category none; evidence quality moderate.

The HubMerge extension exhibits a classic false-positive profile driven entirely by XIOC extractor garbage. All 133 IoC findings are property access chain misinterpretations, not real network domains. Specific examples include XIOC-DOMAIN-o.call (function property access), XIOC-DOMAIN-h.id (DOM element ID property), XIOC-DOMAIN-b.map (Array.map method), and XIOC-DOMAIN-j.now (Date.now property). These patterns match the documented XIOC false-positive behavior where JavaScript property chains like object.property are misread as domain names. The evidence explicitly states these were extracted_from_files with no actual network destinations.

Zero malware signatures were detected across all 154 total findings. The findings summary shows "malware-signature":"0" and "malware":"0", which is a critical distinction. Malware signatures represent confirmed malicious code patterns, while the 18 code-smell findings are classified as low-severity and trigger on basic JavaScript patterns per the CVEQ documentation. The 2 network findings lack specific domain details that would indicate actual data exfiltration or C2 communication.

The extension's metadata is consistent with legitimate behavior. The name "HubMerge" aligns with the description "Merge HubSpot properties easily" - a reasonable functionality for a HubSpot integration tool. The developer email [email protected] provides attribution rather than anonymity. While the user count of 1 indicates a very new or niche extension, this alone is not a threat indicator.

The strongest counterargument would be the high finding volume of 154 total detections. However, the guidelines explicitly state "IoC COUNT alone is meaningless. Only specific, non-generic suspicious domains matter." None of the 133 IoCs represent actual suspicious domains - they are all property access chains like r.style, z.style, and sl.now. The finding count is inflated by known XIOC noise patterns, not actual malicious infrastructure. Without malware signatures, obfuscation, or real suspicious domains, the high count does not indicate actual risk.

This extension should be classified as a false positive driven by automated extraction artifacts rather than genuine security concerns.

Key Reasons

• All 133 IoC findings are XIOC property access chain garbage (o.call, h.id, b.map, etc.)
• Zero malware signatures detected despite 154 total findings
• Zero obfuscation findings
• Extension name and description are consistent with legitimate HubSpot integration
• Developer email provides attribution rather than anonymity

False Positive Considerations

• XIOC property access chain garbage (all 133 IoCs)
• Code-smell findings on basic JavaScript patterns
• No malware signatures despite high finding count
• No obfuscation or high-confidence threat indicators