Island: "BadBlocker" — an 11M-user Chrome ad-blocker is one server config change away from arbitrary JavaScript on any site

Island researchers documented (2026-06-25) a dormant but architecturally complete arbitrary-JavaScript-execution capability in "Adblock for YouTube" (11M+ installs) (Island, 2026-06-25; The Hacker News, 2026-06-25). The extension fetches config every 24 hours; a server-controlled scriptletsRules field can activate a "create-element" scriptlet that appends an externally-sourced <script> to the DOM via a TrustedTypes policy that bypasses the browser's own script-injection guard. Because the extension declares <all_urls> host permissions but only checks whether the string youtube.com appears anywhere in the URL (not as the hostname), a lure such as https://bank.example.com/search?q=youtube.com passes the check — so an injected script could run in authenticated banking, admin-panel or enterprise-SaaS sessions with full DOM and credential access (T1176 Browser Extensions; T1056 Input Capture). Island demonstrated a Salesforce-data-exfiltration PoC; no malicious payload was live at analysis time, but sister extensions were previously removed by Google for actual malware. Defender concepts: flag browser extensions making config-fetch HTTPS requests outside their declared purpose; audit <all_urls> extensions against business need; enforce extension allowlisting via browser management policy.