Is "EasySync" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 88% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 63/100.
Evidence context: threat category none; evidence quality moderate.

The EasySync extension shows 237 total findings, but examination reveals these are entirely false positives from known CVEQ noise patterns.

IoC Findings Are Property Access Chains, Not Domains

All 201 IoC findings follow the pattern of JavaScript property access misidentified as domains. The finding XIOC-DOMAIN-d.next from extracted_from_files represents code like d.next being parsed as a domain. Similarly, XIOC-DOMAIN-t.call, XIOC-DOMAIN-o.next, XIOC-DOMAIN-at.next, XIOC-DOMAIN-u.events, XIOC-DOMAIN-i.next, XIOC-DOMAIN-c.next, XIOC-DOMAIN-v.call, XIOC-DOMAIN-ve.next, XIOC-DOMAIN-z.next, and XIOC-DOMAIN-e.next are all property access patterns. The CVEQ guidelines explicitly list "Property access chains misread as domains: b.call, h.next, g.id" as known false-positive patterns. These findings have no security significance.

Network Findings Are Generic Fetch Calls

The two network findings originate from assets/index.html-Dhm7EUqZ.js:1 and represent standard fetch API usage. The filename with hash indicates bundled/minified JavaScript, where fetch calls are routine for loading resources. This finding lacks any suspicious domain or tracking behavior.

Code-Smell Findings Are Documented Noise

The 34 code-smell findings are classified as severity=low and finding_type=code-smell. Per the CVEQ guidelines, "code-smell findings (severity=low, finding_type=code-smell) are NOISE." These rules match basic patterns like fetch, exec, fs, crypto, and process.env that appear in almost any non-trivial JavaScript.

No Actual Malware Indicators

The findings summary shows zero malware signatures, zero malware findings, and zero obfuscation findings. The extension contains no actual malicious code indicators.

Counterargument: Anonymous Developer and OTP Functionality

A skeptic might argue the email-based developer [email protected] and zero user count combined with OTP auto-fill functionality warrant concern. OTP handling extensions could theoretically intercept authentication tokens. However, the code evidence shows no credential access patterns, no external data transmission to suspicious domains, no obfuscation hiding malicious logic, and no malware signatures. The OTP functionality described in the extension metadata is not contradicted by the code findings.

Conclusion

This extension's findings are entirely driven by documented CVEQ false-positive patterns. The IoC extractor misidentified property access chains as domains, code-smell rules matched benign JavaScript patterns, and network findings represent standard fetch calls. No actual malicious behavior is present in the evidence.

Key Reasons

• All 201 IoC findings are property access chains (d.next, t.call, etc.) - documented FP pattern
• Zero malware signatures or actual malware detections
• Zero obfuscation findings
• Network findings are generic fetch calls in bundled code
• Code-smell findings (34 total) classified as noise per guidelines

False Positive Considerations

• IoC extractor misreading property access chains as domains
• Code-smell findings classified as noise
• Bundled/minified code triggering generic network findings
• No actual malware or obfuscation detected