50 Chrome extensions. One codebase. One backend. One API key.
A cluster of 50 Chrome extensions, all sharing the same codebase, backend infrastructure, Firebase project, and a hardcoded API key, has been identified. These extensions, collectively installed around 15,500 times, form a white-label WhatsApp CRM platform. The platform replaces WhatsApp Web's Content Security Policy (CSP), maintains persistent communication via Server-Sent Events (SSE) and Firebase Cloud Messaging, and includes voice transcription and backend backup APIs. Multiple privacy policies exist with inconsistent descriptions of the platform and omit several backend communication mechanisms. This raises privacy and security concerns due to centralized control and potential misuse of user data.
AI Analysis
Technical Summary
The threat involves a network of 50 Chrome extensions distributed via the Chrome Web Store, all operating from a single codebase and backend infrastructure, including a shared Firebase project and a hardcoded API key. This setup enables persistent communication channels and advanced features such as voice transcription and operator-configurable webhooks. The extensions replace WhatsApp Web's CSP, potentially allowing them to bypass standard security restrictions. The presence of multiple, inconsistent privacy policies that fail to disclose all backend communications suggests a lack of transparency and potential privacy violations. The centralized backend and shared API key create a single point of failure or compromise affecting all extensions in the cluster.
Potential Impact
Users of any of the 50 extensions are potentially exposed to privacy risks due to centralized data collection and backend control. The replacement of WhatsApp Web's CSP and persistent communication channels could allow the extensions to intercept or manipulate user interactions with WhatsApp Web. The inconsistent privacy policies indicate that users may not be fully informed about data collection or backend activities. The shared hardcoded API key and backend infrastructure mean that compromise of one component could impact all extensions, amplifying the risk. However, no known exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory or the original report at https://malext.io/reports/WhatsCluster/ for current remediation guidance. Users should consider uninstalling these extensions due to the privacy and security concerns identified. Chrome Web Store administrators and security teams should review and potentially remove or block these extensions. Developers and security teams should monitor for updates or official fixes from the extension maintainers or platform providers. No official fix or patch information is currently available.
50 Chrome extensions. One codebase. One backend. One API key.
Description
A cluster of 50 Chrome extensions, all sharing the same codebase, backend infrastructure, Firebase project, and a hardcoded API key, has been identified. These extensions, collectively installed around 15,500 times, form a white-label WhatsApp CRM platform. The platform replaces WhatsApp Web's Content Security Policy (CSP), maintains persistent communication via Server-Sent Events (SSE) and Firebase Cloud Messaging, and includes voice transcription and backend backup APIs. Multiple privacy policies exist with inconsistent descriptions of the platform and omit several backend communication mechanisms. This raises privacy and security concerns due to centralized control and potential misuse of user data.
Reddit Discussion
I reverse engineered a white-label WhatsApp CRM platform distributed across 50 Chrome Web Store extensions (~15,500 installs at the time of analysis).
Every analyzed extension shares the same codebase, backend infrastructure, Firebase project, and hardcoded API key.
Highlights:
- Replaces WhatsApp Web's CSP
- Persistent communication via SSE and Firebase Cloud Messaging
- Voice transcription functionality
- Backend backup APIs
- Operator-configurable webhooks
I also identified multiple privacy policies describing the same platform differently, with several backend communication mechanisms not discussed in the reviewed policies.
Full report, IOCs, and the complete 50-extension cluster:
https://malext.io/reports/WhatsCluster/
Related: WaSteal, my previous research on a different WhatsApp extension ecosystem.
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The threat involves a network of 50 Chrome extensions distributed via the Chrome Web Store, all operating from a single codebase and backend infrastructure, including a shared Firebase project and a hardcoded API key. This setup enables persistent communication channels and advanced features such as voice transcription and operator-configurable webhooks. The extensions replace WhatsApp Web's CSP, potentially allowing them to bypass standard security restrictions. The presence of multiple, inconsistent privacy policies that fail to disclose all backend communications suggests a lack of transparency and potential privacy violations. The centralized backend and shared API key create a single point of failure or compromise affecting all extensions in the cluster.
Potential Impact
Users of any of the 50 extensions are potentially exposed to privacy risks due to centralized data collection and backend control. The replacement of WhatsApp Web's CSP and persistent communication channels could allow the extensions to intercept or manipulate user interactions with WhatsApp Web. The inconsistent privacy policies indicate that users may not be fully informed about data collection or backend activities. The shared hardcoded API key and backend infrastructure mean that compromise of one component could impact all extensions, amplifying the risk. However, no known exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory or the original report at https://malext.io/reports/WhatsCluster/ for current remediation guidance. Users should consider uninstalling these extensions due to the privacy and security concerns identified. Chrome Web Store administrators and security teams should review and potentially remove or block these extensions. Developers and security teams should monitor for updates or official fixes from the extension maintainers or platform providers. No official fix or patch information is currently available.
Technical Details
- Source Type
- Subreddit
- netsec
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a40700227e9c79719c81326
Added to database: 06/28/2026, 00:51:14 UTC
Last enriched: 06/28/2026, 00:51:19 UTC
Last updated: 06/28/2026, 01:51:09 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.