Foosball

On every popup load the extension opens a persistent WebSocket to wss://chat.cloudapi.stream/game/, assigns the user a permanent identifier (lkey) stored in localStorage, and heartbeats it back to the server every 10 seconds. This constitutes ongoing undisclosed session tracking: the server can correlate activity across browsing sessions using the lkey as a stable user fingerprint. No data collection is declared in the CWS listing.

let socket;let lkey = localStorage.getItem('lkey');let lkey_time = localStorage.getItem('lkey_time');let W_open = false;const serverUrl = 'wss://chat.cloudapi.stream/game/';function connectWebSocket() {  socket = new WebSocket(serverUrl);  socket.onopen = () => {    console.log('WebSocket connection established');    if (lkey == undefined || lkey == null || lkey == '' || lkey.length < 10) {      socket.send(JSON.stringify({        action: 'new_client'      }));    } else socket.send(JSON.stringify({      action: 'session_start',      lkey: lkey    }));  };  ...  setInterval(() => {    ...    if (W_open == false) {      socket.send(JSON.stringify({        action: 'check_key',        lkey: lkey      }));    }  }, 10000);  connectWebSocket();

The remote C2 server can push a show_ad message containing arbitrary image URLs (answ.src) and link destinations (answ.href), which the extension renders as a forced full-screen modal overlay on top of the game. Display duration is also server-controlled (answ.interval). Every ad click is reported back to the server with the user's lkey and ad_id, enabling per-user click-through tracking across sessions. The operator retains full runtime control over what URLs and content are surfaced to users with no CWS disclosure.

if (answ.action == 'show_ad') {  ad_id = answ.id;  modalad6432.classList.add("active");  document.querySelector(".counte_6432").innerHTML = answ.text;  document.querySelector(".img_6432").setAttribute('src', answ.src);  document.querySelector(".a_6432").setAttribute('href', answ.href);  setTimeout(() => {    modalad6432.classList.remove("active");    socket.send(JSON.stringify({      action: 'ad_auto_close',      lkey: lkey    }));  }, answ.interval);}...a_6432.addEventListener("click", () => {  socket.send(JSON.stringify({    action: 'ad_close_by_click',    lkey: lkey,    ad_id: ad_id  }));});

The bundled manifest declares empty permissions and no host_permissions, yet the code in popup/js/i.js actively connects to cloudapi.stream and multiaccount.cloudapi.stream. The published CWS manifest declares notifications permission and host_permissions for googleapis.com, cloudapi.stream, mines.cloudapi.stream, and top.rodeo — permissions absent from the installed bundle. Additionally, the bundled manifest includes externally_connectable matching <all_urls> (any webpage can message this extension), which does not appear in the published manifest at all. This material divergence between the installed and published permission sets is a strong indicator of version-level deception.

{  "permissions": [],  "externally_connectable": {    "matches": ["<all_urls>"]  },  "manifest_version": 3,  "version": "1.3.1",  "background": { "service_worker": "background.js" }  // No host_permissions declared}