126 Malicious Chrome Extensions Operating as One Platform Harvested Data From 148K Users, Including WhatsApp Messages and Ad Cookies

A single Brazilian company operating through wascript.com.br has deployed a network of 126 Chrome extensions disguised as separate products—WaSeller, waTidy, FR VENDAS PRO, ENOCRM, Cliente Flow, and dozens more—that secretly share one codebase, one backend, and identical hidden behaviors. The operation affected approximately 148,000 users, with WaSeller alone claiming 100,000 installations. The cluster was identified through code and infrastructure analysis that revealed the extensions were not separate offerings but variants of the same surveillance platform.

The extensions operated under the guise of sales and customer relationship management tools, making their data-harvesting activities invisible to typical users seeking productivity software. However, security researchers discovered that upon logging into WhatsApp Web, the extensions exfiltrated users' names, email addresses, device identifiers, and tracking cookies from Facebook, Google, and TikTok to servers controlled by whoever licensed the extensions. Additionally, every voice message sent through WhatsApp Web was routed through the operators' servers before reaching its intended recipient, creating a persistent man-in-the-middle position on communications.

The operation also included a secondary supply chain element: the extensions downloaded and executed JavaScript from another Brazilian company's infrastructure, expanding the potential attack surface beyond the initial 126 extensions. This architecture suggests the platform was designed as a white-label surveillance product, potentially offered to resellers who could brand and distribute the tools to end users without revealing the underlying data collection mechanisms. The discovery highlights ongoing risks in the Chrome Web Store's vetting process, where coordinated malicious extensions can maintain separate storefronts while operating as a unified exfiltration system.