Is "Fresh New Tab" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is needs follow up with 65% confidence.

Recommended action: runtime analysis.
Risk context: MEDIUM risk, score 62/100.
Evidence context: threat category none; evidence quality moderate.

Fresh New Tab is a productivity extension claiming to provide Pomodoro timer and Kanban board functionality on the new tab page. The extension is published by [email protected], a personal Gmail address with no corporate attribution. The extension has zero users and is at version 1.0.0.

The 29 IoC findings are predominantly false positives. Four findings—menubtn.dataset.id, trackedels.map, el.dataset.id, and itemel.dataset.id—are property access chains misread as domains, a documented XIOC extractor error pattern. The finding ::af is an IPv6 fragment, another known false positive pattern. Legitimate support URLs (support.google.com, support.apple.com) comprise additional false positives. Only two domains warrant scrutiny: rect.top and preview.style.top, both using the .top TLD commonly associated with adware and spam infrastructure.

Two network findings in background.js:52 and newtab.js:130 detect generic fetch calls without destination information. These are expected for a new tab extension that may need to load content or sync data. The 18 code-smell findings are all severity=low and represent noise per CVEQ guidelines—they match basic JavaScript patterns and should not drive verdict decisions.

The strongest counterargument is the anonymous developer and suspicious .top domains. A skeptic would argue that rect.top and preview.style.top could be tracking or ad-serving endpoints. However, no malware signatures exist in the evidence bundle, no obfuscation is present, and the extension's stated functionality (Pomodoro timer, Kanban board) is legitimate. The .top domains could be legitimate service endpoints for the extension's features. Without runtime analysis or destination URLs from the fetch calls, the purpose of these domains cannot be determined.

Verdict: needs_follow_up. Investigation of rect.top and preview.style.top is required to determine if they serve legitimate extension functionality or represent ad/tracking infrastructure. Runtime analysis would reveal the actual network destinations and data flows.

Key Reasons

• Most IoC findings are known false positive patterns (property chains, IPv6 fragments, legitimate URLs)
• No malware signatures detected in evidence bundle
• No obfuscation detected
• Two suspicious .top TLD domains (rect.top, preview.style.top) require investigation
• Anonymous developer with zero user base

False Positive Considerations

• Property access chains misread as domains (menubtn.dataset.id, trackedels.map, el.dataset.id, itemel.dataset.id)
• IPv6 fragments (::af)
• Code-smell findings (18 total, all severity=low)
• Legitimate support URLs (support.google.com, support.apple.com)