At first glance the extension is mostly harmless, importing a small "background.js" file and the popular javascript extension "jquery".

Twitter

Original Title: How Perplexity + Claude Replace an Entire Analyst Team on Polymarket
Original Author: @0xwhrrari
Original Translation: Peggy, BlockBeats
Editor's Note: This article introduces a method for identifying and systematically executing arbitrage opportunities on Polymarket: using Perplexity to conduct research and pinpoint discrepancies between data and market pricing; and using Claude to build trading platforms...

Stop betting on gut feeling: AI is making money on Polymarket.

On the morning of April 1st, 2026, FPT University held a ceremony to unveil the statue of Satoshi Nakamoto – the mysterious figure XEM the father of Bitcoin – at its Hoa Lac campus in Hanoi. The event attracted the participation of the university's leadership...

Statue of the "father" of Bitcoin officially unveiled on FPT University campus.

The FIFA World Cup will feature a prediction market platform built on ADI Chain, with the network’s token hitting a new high Friday.

FIFA Inks World Cup Prediction Market Deal With ADI Predictstreet

I thought "looks harmless enough, seems odd that it would be malicious".
The issue: the "jquery" extension here is imported locally, and its checksum doesn't match the one on CDN.
That's because it was tampered with to include code to retrieve all cookies from the user.

Even though the extension was 2 years old, the malicious developer managed to run a successful campaign and net at least 6 figures in funds from Binance, with the victims wondering for months how that could have happened.