That and they inserted random javascript from a website that can change at any moment, created a shady domain name mascaraing as affiliated with a different analytics to funnel analytics to (and who knows what else but i think passwords and logins were pilfered). they also gave themselves webrequest permissions for no reason which alters the threat profile too.