Doing some analysis, this appears to be an injected bit of script attempting to automatically subscribe users to some sort of publisher of msn.com articles, as the tag type "social-lead-gen-in-article" is used for the publisher subscription box at the bottom of MSN articles, and it then attempts to find the "Subscribe Now" button and track clicks on it and add handlers to automatically perform whatever merchant actions.

My takeaway at present is to avoid Edge and especially avoid Edge on MSN articles until such time as M$ drops some information on this.

For the record, if anyone is trying to investigate further, the only publisher I've found that has anything matching this going on (thus far) is Newsweek. Ex: https://www.msn.com/en-us/news/world/north-korea-reacts-to-n...

At the bottom of the article, the little Sign Up box is a "social-lead-gen-in-article" element.

Still haven't seen anything else about this, it's a bit of a pain tbh, even if this has a very narrow attack surface, it's tying up multiple people in multiple places trying to make sense of it. C'mon Microsoft.

So did a bit more digging, searching for instances of "BuyNow" in various stuff loaded and I have some suspicion now this is being done by some service worker adjacent to MSN and Bing. I flushed the service workers related to these sites and then loaded one up again, I no longer get the console messages, but I do still get debugger:///VM* objects with a bunhc of BuyNow and message posting that looks like a more robust version of the script from the initial Github posting...

Maybe Microsoft just silently dropped something out there. This is pointing more towards KomoD's suggestion this was something that escaped M$, but still makes me uneasy. Posting the code I found to the Github thread.

Legend... thanks for looking into this, I am now less paranoid :)

I recently made an app with Tauri and all of a sudden (same app last week did not have this), I am getting strange console log messages:

BuyNow driver Initialized!!!!! & MsnDriver Starts

The source code of the file thats creating these console logs is posted in the github link.

To my non experienced eyes, it seems like some sort of (malicious?) injection. Spawning from debugger:///VM11 that is no where in my code

Others are seeing the same thing.

Any Ideas/Help/Guidance?

I absolutely have no idea what I'm talking about. But this line jumped out at me:

  window.BuyNowRuntime.postMessageToHost('StartBuyNow')

So you're trying to do things with BuyNow, and so a BuyNow thing is starting. So, are you just getting further than you were last week?

Alternately, did BuyNow change how their stuff worked since last week?

That's the thing, I have no idea what BuyNow is. I searched all throughout my code and it does not exist. On the github you can see other developers, with completely different projects seeing the same exact logs, as if something has been injected.

My code from today was the exact same as it was last week. So it seems like some package or dependency has been compromised perhaps?

Edit: And when I tried to search for it, I could not find a single post anywhere on the web about it.

There was a "Buy Now Pay Later" feature thing that Edge was pushing at the tail end of 2021 that was available in developer channels which might be related

Ah, I see. So you did not write the file you posted.

I had this issue and I found the code was adding too many items to the page (36000) key values to a dropdown, then the Microsoft script was going through every item on the page and looking for a keyword. I limited the key values to 200 on the drop down and it started working after that.

Just some weirdness going on at Microsoft, this clearly originates from Edge.

Someone probably pushed dev/debug code to prod by accident.

same when running flutter in edge debug mode