Opera blacklisted the version of Tampermonkey that is currently offered on the Chrome Web Store as it is being installed by Windows malware. This prevents the extension from working in the Opera browser.
Opera users who installed Tampermonkey 4.7.54 from the Chrome Web Store found out today that the browser has blacklisted the extension. When they open the browser’s extensions list, they are greeted with a red message stating that the extension was blocked because Opera “identified this extension as malicious and have blacklisted it. This means it can no longer cause any damage to your machine. You can leave it as is, or remove it.”
Commenting on this, Tim Mackey, senior technical evangelist at Synopsys said:
“While in blacklisting a specific version of Tampermonkey, Opera acted out of concern for the security of their end users, this situation highlights the risks present in modern applications. Modern software is a combination of libraries, third party components and third party services – in addition to the custom code created. In this case, it appears Opera identified a specific version of a component, Tampermonkey, which, in addition to being legitimate, was also being distributed with a malicious application. Upon inspecting Tampermonkey, Opera determined that blacklisting it was the most effective way to black the malicious application. The net result being that legitimate Opera users of Tampermonkey were also impacted.
While the Tampermonkey and Opera teams have come to a resolution which removed Tampermonkey from the blacklist, this situation highlights a requirement for all IT organizations and engineering teams to clearly understand their dependencies are. A decision made by a third party could easily have a significant impact on operations, and potentially be an impact which is challenging to securely mitigate. To properly plan for such situations, IT and engineering organizations should implement a policy which identifies any third party libraries, services, components and APIs and then monitors for changes in these dependencies. Only when armed with full visibility can dependency risks be properly mitigated.”