Backpack
π Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
A next level crypto wallet for Solana, Ethereum, Monad, Sui, and more.
Security Analysis
Permissions
Code Patterns Detected
External Connections
Package Contents 259 files Β· 47.5MB
βΎ_metadata33KB
verified_contents.json33KB
βΎassets3.9MB
back-icon-mask.png653B
back-icon.png207B
backpack-logo-and-wordmark-vertical@4x.png5KB
backpack-logo.png569B
backpack-logo@4x.png2KB
backpack-recovery-phrase@4x.png845B
backpack-wordmark-eu@4x.png7KB
backpack-wordmark@4x.png5KB
backpack.png998B
bank@4x.png854B
banner-bpsol.png27KB
banner-monad.png13KB
banner-sui.png3KB
banner-wallet-backup-bg.png115KB
banner-wallet-backup-icon.png1KB
bronze@4x.png17KB
candlestick-chart@4x.png671B
challenger@4x.png29KB
clear-icon.png645B
close-icon.png332B
defaultSplash1000.svg2KB
defaultSplash2000.svg2KB
defaultSplash600.svg2KB
diamond@4x.png24KB
explore-active.png376B
explore-active@4x.png995B
explore-inactive.png495B
explore-inactive@4x.png1KB
face-recognition@4x.png3KB
form-error@4x.png341B
gold@4x.png20KB
inter-all-400-normal.woff126KB
inter-all-500-normal.woff136KB
inter-all-600-normal.woff137KB
inter-cyrillic-400-normal.woff26KB
inter-cyrillic-500-normal.woff27KB
inter-cyrillic-600-normal.woff27KB
inter-cyrillic-ext-400-normal.woff29KB
inter-cyrillic-ext-500-normal.woff210KB
inter-cyrillic-ext-600-normal.woff210KB
inter-greek-400-normal.woff28KB
inter-greek-500-normal.woff28KB
inter-greek-600-normal.woff28KB
inter-greek-ext-400-normal.woff25KB
inter-greek-ext-500-normal.woff25KB
inter-greek-ext-600-normal.woff25KB
inter-latin-400-normal.woff216KB
inter-latin-500-normal.woff217KB
inter-latin-600-normal.woff217KB
inter-latin-ext-400-normal.woff220KB
inter-latin-ext-500-normal.woff222KB
inter-latin-ext-600-normal.woff222KB
inter-vietnamese-400-normal.woff24KB
inter-vietnamese-500-normal.woff24KB
inter-vietnamese-600-normal.woff24KB
logo-circle-aptos.png994B
logo-circle-aptos@4x.png3KB
logo-circle-arbitrum.png1KB
logo-circle-arbitrum@4x.png3KB
logo-circle-avalanche.png530B
logo-circle-avalanche@4x.png1KB
logo-circle-base.png1KB
logo-circle-base@4x.png6KB
logo-circle-berachain.png629B
logo-circle-berachain@4x.png2KB
logo-circle-bitcoin.png599B
logo-circle-bitcoin@4x.png2KB
logo-circle-bsc.png652B
logo-circle-bsc@4x.png2KB
logo-circle-cosmos.png964B
logo-circle-cosmos@4x.png3KB
logo-circle-eclipse-testnet.png776B
logo-circle-eclipse-testnet@4x.png2KB
logo-circle-eclipse.png328B
logo-circle-eclipse@4x.png800B
logo-circle-ethereum-sepolia.png979B
logo-circle-ethereum-sepolia@4x.png3KB
logo-circle-ethereum.png941B
logo-circle-ethereum@4x.png3KB
logo-circle-fogo.png899B
logo-circle-fogo@4x.png3KB
logo-circle-gorbagana-testnet.png2KB
logo-circle-gorbagana-testnet@4x.png18KB
logo-circle-hyperevm.png934B
logo-circle-hyperevm@4x.png3KB
logo-circle-monad-testnet.png816B
logo-circle-monad-testnet@4x.png2KB
logo-circle-monad.png507B
logo-circle-monad@4x.png1KB
logo-circle-optimism.png475B
logo-circle-optimism@4x.png1KB
logo-circle-plasma.png1KB
logo-circle-plasma@4x.png5KB
logo-circle-polygon.png579B
logo-circle-polygon@4x.png2KB
logo-circle-sei.png1KB
logo-circle-sei@4x.png4KB
logo-circle-solana-devnet.png677B
logo-circle-solana-devnet@4x.png2KB
logo-circle-solana.png953B
logo-circle-solana@4x.png5KB
logo-circle-sonic-devnet.png928B
logo-circle-sonic-devnet@4x.png3KB
logo-circle-sonic.png2KB
logo-circle-sonic@4x.png10KB
logo-circle-sui-testnet.png562B
logo-circle-sui-testnet@4x.png1KB
logo-circle-sui.png505B
logo-circle-sui@4x.png1KB
logo-circle-tron-testnet.png1KB
logo-circle-tron-testnet@4x.png3KB
logo-circle-tron.png1KB
logo-circle-tron@4x.png3KB
logo-discord-icon@4x.png956B
logo-xnft-icon@4x.png845B
mad-lads-logo@4x.png3KB
notifications_none@4x.png763B
other-recovery-phrase@4x.png818B
platinum@4x.png24KB
portfolio-active.png384B
portfolio-active@4x.png950B
refer-logo@4x.png874B
rocket-launch@4x.png2KB
search-icon.png928B
secret-key@4x.png620B
sgqr@4x.png4KB
share-bg-backpack-girl@4x.png528KB
share-bg-backpack-japan@4x.png522KB
share-position-bg-doge@4x.png238KB
share-position-bg-empty@4x.png145KB
share-position-bg-jupiter@4x.png313KB
share-position-bg-mad-lads-1@4x.png348KB
share-position-bg-mad-lads-2@4x.png341KB
share-position-bg-paris@4x.png345KB
share-position-bg-pepe@4x.png123KB
silver@4x.png19KB
simulator.png1KB
solana-pay@4x.png12KB
unranked@4x.png11KB
user-lock@4x.png1KB
wallet@4x.png913B
βΎvendor2KB
trezor-content-script.js306B
trezor-usb-permissions.js1KB
1221.js1.1MBlarge
1221.js.LICENSE.txt1KB
1371.js8KB
1683.js149KBlarge
1770.js7KB
1924.js38KB
2073.js147KBlarge
2073.js.LICENSE.txt470B
2210.js10KB
2280.js22KB
2282.js439KBlarge
2282.js.LICENSE.txt69B
2726.js14KB
3123.js76KBlarge
3175.js208KBlarge
3334.js22KB
3646.js103KBlarge
3748.js79KBlarge
3803.js182KBlarge
3842.js21KB
3886.js149KBlarge
4322.js236KBlarge
4510.js510KBlarge
4614.js18KB
4652.js171KBlarge
4861.js85KBlarge
5315.js193KBlarge
537.js288KBlarge
5529.js524KBlarge
558.js45KB
574.js34KB
5846.js2.8MBlarge
5846.js.LICENSE.txt7KB
6054.js136KBlarge
6096.js188KBlarge
6145.js709KBlarge
6145.js.LICENSE.txt856B
6475.js103KBlarge
656.js18KB
6630.js34KB
7028.js84KBlarge
7028.js.LICENSE.txt222B
7282.js13KB
7452.js6KB
7462.js3KB
7474.js3KB
7616.js208KBlarge
8419.js24KB
8565.js171KBlarge
8589.js28KB
8596.js973KBlarge
8596.js.LICENSE.txt518B
8746.js128KBlarge
9243.js25KB
9246.js29KB
9463.js35KB
9463.js.LICENSE.txt267B
9653.js16KB
970.js34KB
9825.js30KB
9941.js27KB
anchor-development.png582B
anchor-production.png576B
anchor.png576B
background.js3.6MBlarge
background.js.LICENSE.txt856B
contentScript-early-evm.js636B
contentScript-early-solana.js1KB
contentScript.js13KB
injected.js7MBlarge
inpage-evm-early.js4KB
inpage-solana-early.js3KB
manifest.json2KB
onboarding.html675B
onboarding.js6.2MBlarge
onboarding.js.LICENSE.txt12KB
options.html3KB
options.js922KBlarge
options.js.LICENSE.txt1KB
permissions.html354B
permissions.js452KBlarge
permissions.js.LICENSE.txt1KB
popout.html728B
popup.html741B
popup.js187KBlarge
popup.js.LICENSE.txt962B
quickStart.js1KB
sidePanel.html719B
sidePanel.js140B
trezor-usb-permissions.html556B
vendor-aftermath.js324KBlarge
vendor-apollo.js161KBlarge
vendor-cardinal.js223KBlarge
vendor-cardinal.js.LICENSE.txt225B
vendor-ethereumjs.js125KBlarge
vendor-ethers.js470KBlarge
vendor-ethers.js.LICENSE.txt143B
vendor-hardware.js8.6MBlarge
vendor-lightprotocol.js237KBlarge
vendor-lightprotocol.js.LICENSE.txt157B
vendor-mayan.js235KBlarge
vendor-metaplex.js909KBlarge
vendor-metaplex.js.LICENSE.txt225B
vendor-noble.js305KBlarge
vendor-noble.js.LICENSE.txt143B
vendor-serum.js96KBlarge
vendor-serum.js.LICENSE.txt808B
vendor-solana.js391KBlarge
vendor-solana.js.LICENSE.txt4KB
vendor-sui.js469KBlarge
vendor-sui.js.LICENSE.txt160B
vendor-tronweb.js538KBlarge
vendor-tronweb.js.LICENSE.txt143B
vendor-wormhole.js1.6MBlarge
vendor-wormhole.js.LICENSE.txt69B
What This Extension Does
The Backpack extension appears to be a cryptocurrency wallet, allowing users to manage multiple blockchain assets such as Solana, Ethereum, Monad, Sui, and others.Permissions Explained
- storage: Allows the extension to store data locally on the user's device.
- unlimitedStorage: Grants the extension permission to use an unlimited amount of storage space on the user's device. This is unusual for a typical extension and may indicate that the extension requires significant storage capacity.
- background: Enables the extension to run in the background, allowing it to perform tasks without being actively used by the user.
- sidePanel: Allows the extension to display a panel or sidebar within the browser.
- declarativeNetRequest: Grants the extension permission to modify network requests made by the browser. This is unusual for a typical wallet extension and may indicate that the extension is intercepting or modifying web traffic in some way.
- https://twitter.com/*, https://x.com/*, https://connect.trezor.io/*: These permissions allow the extension to access specific websites or APIs directly from within the browser. This is unusual for a typical wallet extension and may indicate that the extension requires direct access to these services.
What We Found in the Code
- [high] eval() used β can execute arbitrary code: The use of
eval()is generally considered a security risk, as it allows execution of arbitrary code. However, without more context, it's difficult to determine if this is being used maliciously or for legitimate purposes. - [medium] innerHTML assignment β potential XSS vector: Assigning
innerHTMLcan be a potential cross-site scripting (XSS) vulnerability if untrusted data is being inserted into the DOM. However, in many cases,innerHTMLis used for UI rendering and may not pose an actual risk. - [info] Makes HTTP requests: The extension makes HTTP requests to various domains, which is a normal behavior for any web application or extension that interacts with external services.
- [high] Listens to keyboard events: Listening to keyboard events can be used for legitimate purposes such as implementing shortcuts. However, without more context, it's difficult to determine if this is being used maliciously.
External Connections
The extension communicates with the following domains:backpack-shared-assets.s3.us-east-1.amazonaws.com: This domain appears to be a storage bucket for shared assets related to the extension.www.w3.org,eips.ethereum.org, andeu.support.backpack.exchangeare likely used for documentation, API access, or support purposes.github.commay indicate that the extension uses GitHub APIs or services.- Other domains (
t.me,blockaid.xnftdata.com,0x.xnfts.dev, etc.) appear to be related to cryptocurrency or blockchain services.
Things to Consider
Given the extension's purpose as a cryptocurrency wallet, it is expected to interact with various blockchain services and APIs. However, some permissions (e.g.,declarativeNetRequest) seem broader than necessary for this type of functionality. The use of eval() and listening to keyboard events may be concerning, but without more context, it's difficult to determine if these are being used maliciously or for legitimate purposes. Users should carefully review the extension's permissions and behavior before installing or using it.Similar Extensions
More in extensions β
Grammarly for Chrome helps you write with confidence. Get AI support for grammar, clarity, and tone, from first draft toβ¦
The world's most trusted crypto wallet
LastPass is an award-winning password manager for secure credential management on any device.
A crypto wallet reimagined for DeFi & NFTs