131 WhatsApp Web “CRM” extensions: spam automation at store scale

Supply-chain firm Socket described a coordinated set of 131 Chrome extensions that share the same codebase and infrastructure but ship under different names and branding. Together they had on the order of ~21,000 active users at the time of reporting. Researcher Kirill Boychenko framed them not as classic malware but as high-risk spam automation: code injects into the WhatsApp Web page, runs alongside WhatsApp’s own scripts, and automates bulk outreach and scheduling in ways aimed at working around rate limits and anti-spam controls.

Coverage tied the activity to Brazil-focused spam at scale, with the operation assessed to have run for at least nine months, with new uploads and version updates still observed around October 17, 2025.

How the cluster behaved

• Same engine, many storefronts — Near-identical copies under different publisher accounts and logos, marketed as CRM-style tools for WhatsApp Web (“sales funnel”, “bulk messaging”, “schedule messages”, etc.).
• Publisher patterns — Many listings were linked to names like WL Extensão / WLExtensao. Reporting connected the ecosystem to a white-label / franchise-style program from DBX Tecnologia, where affiliates rebrand the same extension and flood the store with clones.
• Policy angle — That pattern conflicts with Chrome Web Store rules against duplicate functionality and spammy abuse of multiple listings for the same product.
• User experience — Outbound messaging automation without clear per-message confirmation is both a Terms of Service problem for WhatsApp and a trust problem for anyone whose browser runs the add-on.

Why it still matters for security-minded readers

Even when something is labeled “spamware” instead of “stealer,” it still:

• Reads and drives the DOM of a sensitive web app you are logged into.
• Requires broad permissions to inject and persist.
• Updates remotely like any other extension—today’s “CRM helper” can change behavior tomorrow.

What to do

• Avoid “WhatsApp Web booster / bulk sender / CRM” extensions unless you fully trust the publisher and understand WhatsApp’s rules for automation.
• If you need legitimate business messaging, use official WhatsApp Business paths—not a clone army from unknown store accounts.
• Remove redundant WhatsApp-related extensions; keep one well-known tool or none.
• Report suspicious duplicate listings via Google’s abuse channels when you see obvious clone farms.

Practical next step

In chrome://extensions, search for WhatsApp. Uninstall anything you do not actively use or cannot tie to a specific, reputable vendor. eSafe can help you see permissions and risk signals in one place.

Go deeper

Analyze an extension before you install → — permissions, publisher signals, and update history.

Report: The Hacker News.