Back to articles

Dark mode extensions review: is Dark Reader safe, and which clones to avoid

Is Dark Reader safe? It reads every site you visit — and so do its clones. My security review of Dark Reader, plus the dark mode copies you should avoid.

Maxim Kosterin
10 min read
Minimalist web pages in charcoal hairline with a soft orange watercolor wash darkening from left to right — one effect applied to every site.
Minimalist web pages in charcoal hairline with a soft orange watercolor wash darkening from left to right — one effect applied to every site.

You install a dark mode extension for the most innocent reason on earth: your eyes hurt at 1am and half the internet is still blinding white. Then you glance at the permission prompt and it says the thing reads and changes your data on every website you visit. Wait, what?

So is Dark Reader safe? That prompt isn't a bug, and Dark Reader — the extension almost everyone reaches for — really does need it. But the exact same permission is what a hijacked dark mode clone uses to quietly scrape everything you type. Let me break down the real answer, why the permission is unavoidable, and which no-name copies you should stay far away from.

Quick verdict

  • Dark Reader itself: safe as of mid-2026. Open source, community-audited, no documented malicious behavior — but it does read and restyle every page, so trust matters.
  • The permission is real and unavoidable. Any extension that darkens every site has to read and rewrite the CSS on every site. There's no "lite" version of that access.
  • The danger is the clones. "Dark mode" is one of the most impersonated categories, and at least one popular dark mode extension was hijacked and pushed malicious updates in a 2024 campaign that hit millions.
  • Install from the source, check the report. Grab Dark Reader from its official listing, not a lookalike, and scan whatever you already have before you trust it.

What dark mode extensions actually do

A dark mode extension doesn't just flip a switch. It reads the page's existing styles — background colors, text colors, images, borders — and rewrites them on the fly so a white page becomes dark without turning your text unreadable. Dark Reader does this by injecting CSS and, in its more advanced modes, analyzing the rendered colors of each element.

To pull that off on any website, it needs to see and modify any website. That's where the scary prompt comes from. On Chrome it shows up as "read and change all your data on all websites" — the <all_urls> host permission. I wrote a full breakdown of what that permission really grants in my earlier piece on the all-URLs host permission, and dark mode is close to the textbook case for legitimately needing it.

Dark Reader also asks for a couple of extras: access to your browsing history (to remember which sites you toggled dark) and permission to modify what you copy (to strip out styling junk when you copy text off a darkened page). Both are explainable. But "explainable" and "harmless" aren't the same thing, which is the whole point of this review.

Security analysis: the permission you can't avoid

Here's the uncomfortable truth. The permission that makes dark mode work is also the single most valuable permission an attacker can get. Read-and-change on every site means an extension can, in principle, watch what you type into your bank, read your email in the DOM, or inject scripts on any page.

For a trustworthy, open-source project like Dark Reader, that access sits idle — the code only does color math. The problem is that you can't tell the difference from the permission prompt alone.

A malicious dark mode clone requests the exact same access, and Chrome shows you the exact same warning. The permission screen can't distinguish "inverts your colors" from "reads your passwords."

That's why, for this category specifically, I don't judge on permissions at all — every real dark mode tool needs the same broad access. I judge on trust signals: is the code open source, who controls the developer account, how recently was it updated, and has ownership changed hands? Those are exactly the things a security scanner surfaces and a permission prompt hides.

The clones are where it goes wrong

Dark mode is a magnet for impersonators, and the pattern that worries me most isn't a fake from day one — it's a legitimate extension that goes bad later.

In a supply-chain campaign that came to light around December 2024, attackers phished extension developers and pushed malicious updates to their already-trusted extensions. According to GitLab's threat intelligence team, the affected set included around 16 extensions with roughly 3.2 million combined users, and one of the compromised tools was a dark mode extension, "Super Dark Mode."

The malicious updates were reported to harvest browsing data and commit ad and search fraud, and the extensions were later pulled from the Chrome Web Store. Independent coverage from Tom's Guide corroborated the scale.

The mechanics are the scary bit. Because a dark mode extension already holds all-URLs access, the malicious update didn't need to request anything new — no fresh scary prompt, no re-consent. The keys were already in the lock.

It's the same "trusted extension changes hands, then changes behavior" story I covered in my write-up on ownership-transfer supply-chain attacks.

And it keeps recurring. Security firm eSentire's 2025 advisory on the "RedDirection" campaign described a batch of cross-platform extensions spanning categories like emoji keyboards, volume boosters, and — yes — dark mode themes, all reportedly capable of hijacking browser sessions. Reports like these are worth treating as a pattern signal rather than a single verdict, but the pattern is clear enough: "dark mode" is a favorite disguise.

Privacy score breakdown: what to actually check

Since permissions won't tell you much here, this is what I look at (and what Extenshi's scan flags) before trusting any dark mode extension:

  • Is it open source? Dark Reader's code is on GitHub and gets community eyes. A closed-source clone with the same access is a bigger leap of faith.
  • What extra permissions does it hold? Color inversion needs host access and maybe history. If a "dark mode" tool also wants webRequest, tabs, or remote scripting, ask why.
  • When was it last updated, and by whom? Long-abandoned extensions are a takeover risk — more on that in my note on abandoned extensions. A recent ownership change is a yellow flag.
  • Does the listing match the real project? Fakes copy the name, icon, and screenshots. The real Dark Reader team even publishes warnings about lookalike copies.

You don't have to eyeball all of that manually. Pull up the extension in the Extenshi catalog and the security report lays out the permission scope, update history, and risk signals in one place instead of hidden behind a one-line install prompt.

Alternatives worth knowing

If Dark Reader isn't your thing, a few reputable options exist — but notice that every one of them needs the same broad page access, so the choice is about trust and features, not about avoiding permissions.

  • Night Eye — a freemium option that uses adaptive theming instead of blunt color inversion, which some people find easier on complex sites. It's closed source, so you're trusting the vendor rather than public code review.
  • Midnight Lizard — open source and aimed at people who want to hand-tune colors, contrast, and per-site schemes. More knobs than Dark Reader, similar access model.
  • Turn Off the Lights — really a different tool: it dims everything around a video rather than darkening whole pages. Good for streaming, not a full dark mode replacement.

My honest take: for most people Dark Reader is still the one to beat, precisely because it's open and heavily scrutinized. The alternatives are legitimate, but "legitimate and closed source" always carries a bit more risk than "legitimate and auditable."

Final recommendation

Dark Reader is safe to use as of this writing, and the permission that scares people is genuinely required for what it does. I run it myself. The risk in this category isn't the well-known extension — it's the interchangeable clones, one bad update, and the fact that dark mode's broad access makes a compromise invisible after the fact.

So: install Dark Reader (or any dark mode tool) only from its official listing, skip the no-name copies chasing the same keyword, and remember that "already has all-URLs access" is exactly why a hijack of one of these is so quiet. Before you trust the dark mode extension sitting in your browser right now, run it — and everything next to it — through a real check.

See the full security report → Scan your extensions on Extenshi

Is Dark Reader safe? Frequently asked questions

Is Dark Reader safe to use? As of mid-2026, yes. It's open source, the code gets community eyes, and there's no documented malicious behavior. The catch is that it reads and restyles every page you visit — so "safe" here rests on trust in the project, not on a limited permission.

Is Dark Reader safe for work? The code itself doesn't exfiltrate anything, but because it has read-and-change access to every site, some corporate security teams block broad-permission extensions on managed machines regardless of the developer. If you're on a work device, check your organization's extension policy before installing.

Is Dark Reader safe on Firefox? Same answer as Chrome. It's the same open-source project shipping to both stores, and the permission model is equivalent — it needs to read and rewrite page styles on every site either way. Install it from the official Firefox Add-ons listing, not a mirror.

Does Dark Reader have known security issues? No confirmed compromise of the real extension that I'm aware of. The security issues in this category come from the clones and hijacked copies — like the "Super Dark Mode" takeover — not from Dark Reader itself. That's exactly why I judge these tools on trust signals instead of the permission prompt.

Is Dark Reader free? Yes — the real Dark Reader is free and open source across Chrome, Firefox, and Edge, funded by donations and an optional paid tier on some platforms. The core dark-mode engine costs nothing. If you find a "Dark Reader" charging up front to unlock basic dark mode, treat that as a clone-shaped red flag, not the real project.

How does Dark Reader work? It doesn't ship one fixed dark theme. It reads each page's existing styles — colors, backgrounds, images, borders — and recomputes them live so a bright page renders dark without wrecking the contrast or hiding your text. That on-the-fly analysis is exactly why it needs to see every page you visit, which is the whole permission story above.

Sources

  • Dark Reader — official source code, GitHub: github.com/darkreader/darkreader
  • Dark Reader — official project site: darkreader.org
  • "3.2 million Chrome users at risk from malicious extensions — delete them right now", Tom's Guide, 2024
  • GitLab Threat Intelligence — technical note on the phished-developer browser-extension campaign (~16 extensions, ~3.2M combined users; incl. "Super Dark Mode"), 2024
  • eSentire — Threat Response Unit advisory on the "RedDirection" cross-platform extension campaign, 2025

This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles