u/Huge-Skirt-6990

A Brazilian company (wascript.com.br) runs one platform that 126 different Chrome extensions all share. They look like separate products, WaSeller, waTidy, FR VENDAS PRO, ENOCRM, Cliente Flow, and dozens more, but it's one codebase, one backend, one set of hidden behaviors.

WaSeller alone has 100K users.

I found this network using my own tool for detecting malicious browser extensions, which flagged the cluster by shared code and infrastructure across all 126 listings.

None of the listings tell you that:

• When you log into WhatsApp Web, the extension sends your name, email, device ID, and your Facebook/Google/TikTok tracking cookies to a server run by whoever sold you the extension.
• Every voice message you send goes through their servers before it reaches the person you're sending it to.
• The extension downloads and runs JavaScript from a different Brazilian company's server. Google never checks this code.
• The 100K-user version has a live Google Tag Manager tag built in. The operator can push any new code to every user from a dashboard with no Chrome Web Store update.
• A bridge inside WhatsApp Web gives the extension full access to your contacts, your messages, and the ability to send messages as you.

No privacy policy on any listing. The manifest only asks for tabs, storage, alarms.

Full list of all 126 extension IDs (check if you have one), tech details, and IOCs: MalExt Sentry - Malicious Browser Extension Tracker

126 Chrome extensions, all secretly the same product, taking 148K users' WhatsApp data and ad cookies

A Brazilian company (wascript.com.br) runs one platform that 126 different Chrome extensions all share. They look like separate products, WaSeller, waTidy, FR VENDAS PRO, ENOCRM, Cliente Flow, and dozens more, but it's one codebase, one backend, one set of hidden behaviors.

WaSeller alone has 100K users.

I found this network using my own tool for detecting malicious browser extensions, which flagged the cluster by shared code and infrastructure across all 126 listings.

None of the listings tell you that:

* When you log into WhatsApp Web, the extension sends your name, email, device ID, and your Facebook/Google/TikTok tracking cookies to a server run by whoever sold you the extension.

* Every voice message you send goes through their servers before it reaches the person you're sending it to.

* The extension downloads and runs JavaScript from a different Brazilian company's server. Google never checks this code.

* The 100K-user version has a live Google Tag Manager tag built in. The operator can push any new code to every user from a dashboard with no Chrome Web Store update.

* A bridge inside WhatsApp Web gives the extension full access to your contacts, your messages, and the ability to send messages as you.

No privacy policy on any listing. The manifest only asks for `tabs`, `storage`, `alarms`.

Full list of all 126 extension IDs (check if you have one), tech details, and IOCs

A Brazilian company (wascript.com.br) runs one platform that 126 different Chrome extensions all share. They look like separate products, WaSeller, waTidy, FR VENDAS PRO, ENOCRM, Cliente Flow, and dozens more, but it's one codebase, one backend, one set of hidden behaviors.

WaSeller alone has 100K users.

I found this network using my own tool for detecting malicious browser extensions, which flagged the cluster by shared code and infrastructure across all 126 listings.

None of the listings tell you that:

• When you log into WhatsApp Web, the extension sends your name, email, device ID, and your Facebook/Google/TikTok tracking cookies to a server run by whoever sold you the extension.
• Every voice message you send goes through their servers before it reaches the person you're sending it to.
• The extension downloads and runs JavaScript from a different Brazilian company's server. Google never checks this code.
• The 100K-user version has a live Google Tag Manager tag built in. The operator can push any new code to every user from a dashboard with no Chrome Web Store update.
• A bridge inside WhatsApp Web gives the extension full access to your contacts, your messages, and the ability to send messages as you.

No privacy policy on any listing. The manifest only asks for tabs, storage, alarms.

Full list of all 126 extension IDs (check if you have one), tech details, and IOCs: MalExt Sentry - Malicious Browser Extension Tracker

A Brazilian company (wascript.com.br) runs one platform that 126 different Chrome extensions all share. They look like separate products, WaSeller, waTidy, FR VENDAS PRO, ENOCRM, Cliente Flow, and dozens more, but it's one codebase, one backend, one set of hidden behaviors.

WaSeller alone has 100K users.

I found this network using my own tool for detecting malicious browser extensions, which flagged the cluster by shared code and infrastructure across all 126 listings.

None of the listings tell you that:

• When you log into WhatsApp Web, the extension sends your name, email, device ID, and your Facebook/Google/TikTok tracking cookies to a server run by whoever sold you the extension.
• Every voice message you send goes through their servers before it reaches the person you're sending it to.
• The extension downloads and runs JavaScript from a different Brazilian company's server. Google never checks this code.
• The 100K-user version has a live Google Tag Manager tag built in. The operator can push any new code to every user from a dashboard with no Chrome Web Store update.
• A bridge inside WhatsApp Web gives the extension full access to your contacts, your messages, and the ability to send messages as you.

No privacy policy on any listing. The manifest only asks for tabs, storage, alarms.

Full list of all 126 extension IDs (check if you have one), tech details, and IOCs: MalExt Sentry - Malicious Browser Extension Tracker

A Brazilian company (wascript.com.br) runs one platform that 126 different Chrome extensions all share. They look like separate products, WaSeller, waTidy, FR VENDAS PRO, ENOCRM, Cliente Flow, and dozens more, but it's one codebase, one backend, one set of hidden behaviors.

WaSeller alone has 100K users.

I found this network using my own tool for detecting malicious browser extensions, which flagged the cluster by shared code and infrastructure across all 126 listings.

None of the listings tell you that:

• When you log into WhatsApp Web, the extension sends your name, email, device ID, and your Facebook/Google/TikTok tracking cookies to a server run by whoever sold you the extension.
• Every voice message you send goes through their servers before it reaches the person you're sending it to.
• The extension downloads and runs JavaScript from a different Brazilian company's server. Google never checks this code.
• The 100K-user version has a live Google Tag Manager tag built in. The operator can push any new code to every user from a dashboard with no Chrome Web Store update.
• A bridge inside WhatsApp Web gives the extension full access to your contacts, your messages, and the ability to send messages as you.

No privacy policy on any listing. The manifest only asks for tabs, storage, alarms.

Full list of all 126 extension IDs (check if you have one), tech details, and IOCs: MalExt Sentry - Malicious Browser Extension Tracker

​

Researchers flag malicious extensions all the time. The IOCs end up scattered across blog posts, tweets, and reports. But Google can take an eternity to actually act on them, leaving millions of users exposed while everyone waits.

So I built MalExt Sentry. It checks your installed extensions against a daily updated database of flagged ones, including researcher-flagged extensions Google hasn't acted on yet. Scans run locally, no data leaves your browser, fully open source.

Database: https://malext.io

Store extension : https://chromewebstore.google.com/detail/malext-sentry/bpohikihiogjgmebpnbgnloipjaddibe

GitHub: https://github.com/toborrm9/malicious\_extension\_sentry

Always open to feedback. If there's a feature you'd like to see or something that could work better, let me know.