MalExt Sentry ← Report Library

2026-06-27 data-collection voice-transmission csp-modification whatsapp white-label

CRMware: 50-Extension WhatsApp CRM Platform (coderlicences[.]com)

Extension list : https://malext.io/?q=WhatsCluster

Platform Indicators

coderlicences[.]com operates a white-label platform (internal name "wadi") distributed across 50 Chrome extensions that present themselves as independent WhatsApp CRM tools for Portuguese-speaking markets. Every analyzed extension in the network shares a single codebase, a single backend infrastructure, and a single shared API credential. Each customer receives a branded extension tied to their account on the operator portal. The shared behavior across all instances includes modifying WhatsApp Web's Content Security Policy via declarativeNetRequest, transmitting voice message audio to vendor servers, maintaining persistent communication channels via SSE and Firebase Cloud Messaging, and accessing WhatsApp's internal React state directly. None of these behaviors are described in the Chrome Web Store listings or user-facing documentation of any analyzed variant.

Methodology

Findings are based on static analysis of extension bundles obtained from the Chrome Web Store and publicly available Chrome Web Store metadata. The 50-extension network was surfaced using internal tooling that clusters listings by shared code fingerprints, backend infrastructure, and behavioral signatures. Analyzed variants were individually verified to share EXTENSION_API_KEY sSpKEML64a2X855FkIpGAdv4VLM72kgjgR0DyT9zGqK7Om6FPPGi2VsAaRCqx9Gw, the coderlicences[.]com backend endpoints, and the Firebase project coderlicenses-13ee8.

No authenticated requests were made to coderlicences[.]com infrastructure. All findings are reproducible from the published bundles.

Bundle structure

Each extension ships five components:

1. global.js — sets window.__CL__ACTIVE__ = true as a page-context presence flag
2. contentScript.js — injects scripts into WhatsApp Web; relays plugin-typed postMessage calls to the background worker via chrome.runtime.sendMessage
3. background.js (~1.4 MB) — API client, Firebase/FCM setup, audio recording pipeline with bundled LAME MP3 encoder, 80+ RPC methods
4. app.js (~3.1 MB) — CRM UI; integrates with WhatsApp Web through React Fiber internals
5. rules.json — modifies WhatsApp Web's Content Security Policy via Declarative Net Request

Advertised functionality

The extensions present as WhatsApp Web CRM tools: contact tagging, quick replies, scheduled messages, multi-account support, and sales pipeline management. The manifest declares storage, unlimitedStorage, tabs, cookies, notifications, and declarativeNetRequest. The cookies and declarativeNetRequest permissions are not explained to users in any analyzed listing.

Undisclosed behavior: Content Security Policy modification

Every extension replaces WhatsApp Web's Content Security Policy on every page load:

{
  "action": {
    "type": "modifyHeaders",
    "responseHeaders": [{
      "header": "Content-Security-Policy",
      "operation": "set",
      "value": "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
    }]
  },
  "condition": {
    "urlFilter": "https://web.whatsapp.com/*",
    "resourceTypes": ["main_frame"]
  }
}

The replacement policy allows all sources, inline script, and eval.

Undisclosed behavior: persistent vendor communication

The background worker establishes two independent communication channels on startup.

An authenticated SSE connection opens to api[.]coderlicences[.]com/api/v1/license/auth/events on every browser session, enabling real-time server-to-client messaging for any live installation. Firebase Cloud Messaging registration runs at install time, providing delivery when SSE is unavailable or the browser is idle. FCM messages survive browser restarts and are device-scoped.

All API requests carry three identifying headers: Authorization: Bearer <session_token>, identifier: <WHITELABEL_KEY>, and device: <UUID>. The device UUID is stored in chrome.storage.local and serves as the per-install identifier across all vendor interactions.

Undisclosed behavior: voice message transmission

Static analysis identified a MicrophoneRecorder implementation together with a bundled LAME MP3 encoder and code paths that upload MP3 data to POST /api/v1/transcription/transcribe alongside a message identifier. These components indicate integrated voice transcription functionality that is not described in the analyzed Chrome Web Store listings. The microphone permission is not declared in the manifest.

Undisclosed behavior: media upload and webhook forwarding

The RPC registry exposes getFileBase64, which fetches any URL in the worker's fetch context and returns it as base64. Combined with cloudBackup (POST /backup with CRC32 integrity checking), WhatsApp media can be uploaded to the platform backend.

Webhook destinations are configured server-side through the operator portal and are not present in the extension bundle. Each platform customer can configure forwarding to arbitrary URLs. Static analysis cannot determine the recipient of forwarded data, and destinations can change after installation with no extension update.

Undisclosed behavior: WhatsApp internal API access

app.js accesses WhatsApp Web's internal component tree directly through React Fiber objects (__reactFiber$, __reactProps$), providing access to conversations, contacts, and session metadata without relying on DOM parsing.

Undisclosed behavior: data backup

The background worker exposes a backup API:

POST /backup                       uploads a data bundle with CRC32 integrity check
GET  /backup/last-from-device/<id> retrieves the most recent backup for a device
GET  /backup/download/<id>         downloads a backup by ID
POST /backup-device/initial        registers a device on first run

This infrastructure is not described in any analyzed Chrome Web Store listing.

Disclosure observations

During review of the analyzed Chrome Web Store listings, no description was found for:

• Content Security Policy modification
• Voice message transmission
• Persistent SSE communication
• Firebase Cloud Messaging registration
• Operator-configurable webhook forwarding

Readers should independently review the associated privacy policies and terms of service for their own assessment of disclosure.

Privacy policy analysis

More than 5 distinct privacy policies were identified across the network. Static analysis findings are inconsistent with claims made in each.

hxxps[://]docs[.]google[.]com/document/d/1OUKYFs9z_yOQGt10BvBN65nNkImkEAM0DP7HXura7_Q

hxxps[://]docs[.]google[.]com/document/d/1VdN3FgSccltOhUemqY3KZUGWIxZvO7w2hLZHMmiHpa0/

hxxps[://]docs[.]google[.]com/document/d/12JJuW0TdqNve43p6yI-wRdU_rLTj6mhRVVYAy4Eqim0

hxxps[://]segsmartwebplus[.]com[.]br/politica-de-privacidade/

hxxps[://]coderlicences[.]com/politica-de-privacidade/

hxxps[://]salesprime[.]com[.]br/crm/politica-privacidade/

Attribution

Although distributed under different names, publishers, and Chrome Web Store listings, every analyzed extension shares the same compiled codebase, platform API key, backend infrastructure, Firebase project, runtime marker, and application architecture. These shared characteristics indicate that the extensions are instances of a single white-label platform rather than independently developed products.

Infrastructure

Known extensions in the network

Summary

coderlicences[.]com operates a white-label platform (internal name "wadi") distributed across at least 50 Chrome extensions totaling approximately 15,579 installs, targeting WhatsApp Web users in Portuguese-speaking markets. Every analyzed instance modifies WhatsApp's Content Security Policy, maintains persistent SSE and FCM communication with the vendor backend, and includes integrated voice transcription functionality and operator-configured forwarding to destinations not visible in the bundle. A single shared EXTENSION_API_KEY present across all instances is the primary attribution signal for this platform.

While sharing a similar targeting profile to the previously documented WaSteal network (wascript.com.br), CRMware operates on distinct infrastructure with a different communication architecture, replacing GTM-based delivery with a dual SSE/FCM channel and adding a declarativeNetRequest CSP modification not present in WaSteal.

Research by Jean-Marie R. (Toborrm9) | Malicious Extension Sentry Project | June 27, 2026