The Great Suspender Chrome extension hijacked
After original maintainer Dean Oemcke transferred ownership to an anonymous buyer in June 2020, the new owner published v7.1.8 to the Chrome Web Store containing tracking and remote-code-loading functionality that was never present in the open-source repository.
Story
The Great Suspender was a browser extension used by millions of Chrome users to unload inactive tabs. In June 2020, the original maintainer transferred control to an anonymous new owner. The source repository and the Chrome Web Store package then began to diverge.
Version 7.1.8 on the Chrome Web Store loaded remote, obfuscated JavaScript from third-party infrastructure. Community analysis found tracking and request-manipulation behavior, with permissions broad enough to observe and modify web traffic across sites.
The important distribution fact is that the hostile code was in the store package, not in the public GitHub source. Users who trusted automatic extension updates received code that open-source review of the repository would not explain.
Microsoft removed the extension from Edge first. Google later removed it from the Chrome Web Store and force-disabled installed copies on February 4, 2021. Users were left recovering suspended tabs and migrating to forks or alternatives.
Affected Artifacts
thegreatsuspender
- Observed
- 2020-10-01 to 2021-02-04
- Compromised Versions
-
- 7.1.8
- Fixed
- Not listed
- Evidence
- mirror: github.com/greatsuspender/thegreatsuspender, version: 7.1.8, domain: owebanalytics.com, observable: Chrome Web Store package diverged from the public GitHub source. , +1 more
Incident Context
- Motive
- Financial Gain
- Attribution
- Maintainer
- Cause
- Maintainer Ownership Transfer
- Transitive
- No
- Actor
- New maintainer
- User Impact
- 2000000
External References
Source record: oss/attacks/great-suspender/meta.yaml