henever a permission request to retrieve JSON was received by an update server from an external source. When injected the malicious script creates a WebSocket tunnel using the change-request.info and then the extension uses it to proxy browsing traffic through the browser installed on the targeted machine