Thegreatsuspender: Is there malicious code or not?

See #1263, malicious code is not included in this Github repo.

tl;dr: Sorta' kinda' yes, technically no.

At length: the extension in Chrome loads and runs JavaScript from an unknown, recently-ish registered CDN with no homepage.

That _loaded_ JavaScript, when I fetched it, at a minimum can log a bunch of things that are detailed in the other thread, like eCommerce transactions, page views, and keystrokes. We don't know for sure because the server that's offering the JS could be returning different things to different people at different times. It could target people specifically. We don't know. It's unknown, untrusted code.

For in-depth details check issue #1263

That JavaScript at a minimum logs a bunch of things that are detailed in the other thread, like eCommerce transactions, page views, and keystrokes.

@JosephCatrambone no, the code does not log anything (no keystrokes, no transactions).
Not only is this logging code not being ran, it is inside the extension's background page which means even if it would be active, it won't see any keystrokes and clicks and transactions, as this is not a page accessible to the user. It runs in the background.
Please be careful of what you say, I understand you're not trying to spread fake news, but we should all try to fact check what we say before we do.

The other part is true - the problem is this server is probably posing to be a normal analytics server, but replaces its code with malicious code when it wants to, and then swaps back so no one would know. See gioxx/MarvellousSuspender#13.

Are they going to fix this? this was the most productive chrome app I have used in years. I love it so much!!!

@Gresliebear https://github.com/gioxx/MarvellousSuspender

@NotWearingPants : I've edited my description to be more accurate. The JavaScript that loaded from the CDN is what has the logging. The way I had originally written it was ambiguous. Yes, the extension itself contains no logging.

@JosephCatrambone Even with the extension including the CDN file, the extension does no logging. I wasn't talking about the distinction between the extension code and the CDN code - the combination of these has no logging.

That said, the code that's run appears to be analytics, if somewhat invasive and creepy analytics.

The point is - the analytics code is not being ran. If the server is not returning a different file sometimes, then absolutely no analytics is collected AFAICT. It only sends one request when you load the extension, so it means the only analytics it collects is when people have opened Chrome, how many, and also have the User-Agent of each of them (i.e. browser version and OS).

@NotWearingPants Thank you so much !!!

Bear in mind however that due to the added permission in the update, the extension could theoretically inspect in-flight requests - this means that even if it couldn't see direct interactions with the pages (log keypresses for instance), it could see the result requests being sent to servers, including form data.
See this comment by TheMageKing for more information.