| Format | Name | Description | |
|---|---|---|---|
| MISP | Event JSON | Full event with extension attributes for MISP import. | |
| MISP | Warning List | Flag Extension IDs in MISP events automatically. | |
| STIX 2.1 | STIX Bundle | Complete SDO bundle for TAXII / OpenCTI. | |
| CSV | OpenCTI Indicators | Flat indicator list with confidence scores for OpenCTI. | |
| Splunk | Lookup Table | CSV lookup for SPL queries and registry monitoring. | |
| JSON | Generic Feed | Raw JSON array for custom scripts and integrations. |
Real-time tracking of malicious browser extensions from multiple threat intelligence sources.
MalExt Sentry aggregates malicious and policy-violating browser extensions from security researchers, SOC teams, and community reports. Each extension is tracked with its detection reason, source, and blocklist status to help analysts identify threats across users and organizations.
The database pulls from:
Updates occur continuously as new threats are identified and verified. Each entry includes the extension ID, threat category (malware, bundling, scareware, etc.), source origin, and reporting date.
Machine-readable exports are available in 6 formats for integration with security tools:
All feeds update automatically with each database commit.
Analyze .crx, .zip, and manifest.json files directly. Extract extension metadata (name, version, manifest version), identify embedded scripts, and highlight potential risk indicators. Download all extracted files as a ZIP archive for further inspection.
Entries are not automatically generated. Each threat is sourced from verified security researchers or official policy violation reports. The database prioritizes accuracy over speed - false positives harm analyst credibility. All entries include context: why the extension was flagged, by whom, and when.
Maintained as open source on GitHub. The database, feeds, and extension parser are community-driven security tools for analysts, researchers, and detection engineers.