chore: update feeds 2026-04-19

Author: github-actions[bot]

browser_extensions_list.csv

@@ -1,4 +1,5 @@
-browser_extension,browser_extension_id_wildcard,browser_extension_id,metadata_category,metadata_type,metadata_link,metadata_comment,crx_file_sha256
+browser_extension,browser_extension_id_wildcard,browser_extension_id,metadata_category,metadata_type,metadata_link,metadata_comment,crx_file_sha256
+OpenClaw Browser Relay,*nglingapjinhecnfejdcpihlpneeadjp*,nglingapjinhecnfejdcpihlpneeadjp,malware,malicious,https://chromewebstore.google.com/detail/openclaw-browser-relay/nglingapjinhecnfejdcpihlpneeadjp,Browser-control relay extension with local WebSocket/CDP automation - third-party depreciated package for openclaw. Added for enterprise blocklist - not as confirmed malware,133df5ad1bd5f3c5444fc6bf15040b34372dd309d7481be708ae6445c3a20c6f
 Telegram Multi-account,*obifanppcpchlehkjipahhphbcbjekfa*,obifanppcpchlehkjipahhphbcbjekfa,malware,malicious,https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2,,
 Web Client for Telegram - Teleside,*mdcfennpfgkngnibjbpnpaafcjnhcjno*,mdcfennpfgkngnibjbpnpaafcjnhcjno,malware,malicious,https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2,,
 YouSide - Youtube Sidebar,*mmecpiobcdbjkaijljohghhpfgngpjmk*,mmecpiobcdbjkaijljohghhpfgngpjmk,malware,malicious,https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2,,

feeds/elastic_detection_rule.ndjson

@@ -1,12 +1,12 @@
 {
   "feed_name": "ExtSentry - Browser Extension Threat Intelligence",
   "feed_version": "1.0",
-  "generated": "2026-04-19T06:01:04Z",
+  "generated": "2026-04-19T07:23:01Z",
   "source": "https://github.com/mthcht/awesome-lists",
   "license": "TLP:CLEAR",
-  "total_indicators": 1880,
+  "total_indicators": 1881,
   "categories": {
-    "malware": 1670,
+    "malware": 1671,
     "PUP": 5,
     "compromised": 92,
     "cryptocurrency": 90,
@@ -18,6 +18,17 @@
     "PROXY/VPN": 5
   },
   "indicators": [
+    {
+      "extension_id": "nglingapjinhecnfejdcpihlpneeadjp",
+      "extension_name": "OpenClaw Browser Relay",
+      "wildcard_pattern": "*nglingapjinhecnfejdcpihlpneeadjp*",
+      "category": "malware",
+      "threat_type": "malicious",
+      "reference_url": "https://chromewebstore.google.com/detail/openclaw-browser-relay/nglingapjinhecnfejdcpihlpneeadjp",
+      "description": "Browser-control relay extension with local WebSocket/CDP automation - third-party depreciated package for openclaw. Added for enterprise blocklist - not as confirmed malware",
+      "crx_sha256": "133df5ad1bd5f3c5444fc6bf15040b34372dd309d7481be708ae6445c3a20c6f",
+      "chrome_webstore_url": "https://chromewebstore.google.com/detail/nglingapjinhecnfejdcpihlpneeadjp"
+    },
     {
       "extension_id": "obifanppcpchlehkjipahhphbcbjekfa",
       "extension_name": "Telegram Multi-account",

feeds/elastic_threat_intel.ndjson

@@ -1,4 +1,5 @@
 extension_id,extension_name,wildcard_pattern,category,threat_type,reference_url,description,chrome_webstore_url,severity,crx_sha256,first_seen,feed_source
+nglingapjinhecnfejdcpihlpneeadjp,OpenClaw Browser Relay,*nglingapjinhecnfejdcpihlpneeadjp*,malware,malicious,https://chromewebstore.google.com/detail/openclaw-browser-relay/nglingapjinhecnfejdcpihlpneeadjp,Browser-control relay extension with local WebSocket/CDP automation - third-party depreciated package for openclaw. Added for enterprise blocklist - not as confirmed malware,https://chromewebstore.google.com/detail/nglingapjinhecnfejdcpihlpneeadjp,critical,133df5ad1bd5f3c5444fc6bf15040b34372dd309d7481be708ae6445c3a20c6f,2026-04-19,ExtSentry (github.com/mthcht/awesome-lists)
 obifanppcpchlehkjipahhphbcbjekfa,Telegram Multi-account,*obifanppcpchlehkjipahhphbcbjekfa*,malware,malicious,https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2,,https://chromewebstore.google.com/detail/obifanppcpchlehkjipahhphbcbjekfa,critical,,2026-04-19,ExtSentry (github.com/mthcht/awesome-lists)
 mdcfennpfgkngnibjbpnpaafcjnhcjno,Web Client for Telegram - Teleside,*mdcfennpfgkngnibjbpnpaafcjnhcjno*,malware,malicious,https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2,,https://chromewebstore.google.com/detail/mdcfennpfgkngnibjbpnpaafcjnhcjno,critical,,2026-04-19,ExtSentry (github.com/mthcht/awesome-lists)
 mmecpiobcdbjkaijljohghhpfgngpjmk,YouSide - Youtube Sidebar,*mmecpiobcdbjkaijljohghhpfgngpjmk*,malware,malicious,https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2,,https://chromewebstore.google.com/detail/mmecpiobcdbjkaijljohghhpfgngpjmk,critical,,2026-04-19,ExtSentry (github.com/mthcht/awesome-lists)

feeds/extsentry_feed.json

@@ -1,3 +1,4 @@
+nglingapjinhecnfejdcpihlpneeadjp
 obifanppcpchlehkjipahhphbcbjekfa
 mdcfennpfgkngnibjbpnpaafcjnhcjno
 mmecpiobcdbjkaijljohghhpfgngpjmk

feeds/extsentry_ioc_feed.csv

@@ -1,3 +1,4 @@
+133df5ad1bd5f3c5444fc6bf15040b34372dd309d7481be708ae6445c3a20c6f
 0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5
 21dd863ff9bbd15da01c1218bf92bd65eeae04a41876e10c41733b58035414c4
 9d0f550ac883455ed64da402cdb0c822c90de405c540678e0697b77fe20de3cf

feeds/ioc_all_extension_ids.txt

@@ -1,3 +1,4 @@
+nglingapjinhecnfejdcpihlpneeadjp
 obifanppcpchlehkjipahhphbcbjekfa
 mdcfennpfgkngnibjbpnpaafcjnhcjno
 mmecpiobcdbjkaijljohghhpfgngpjmk

feeds/ioc_crx_sha256_hashes.txt

@@ -5,7 +5,7 @@
     "analysis": "2",
     "distribution": "3",
     "date": "2026-04-19",
-    "timestamp": "1776578465",
+    "timestamp": "1776583381",
     "published": false,
     "uuid": "41ef2090-fab5-547e-9eb6-2aa8f195c66f",
     "Orgc": {
@@ -27,6 +27,40 @@
       }
     ],
     "Attribute": [
+      {
+        "uuid": "70c24c8a-98cf-5284-ad5b-fa87d91fd5a7",
+        "type": "text",
+        "category": "Other",
+        "to_ids": false,
+        "value": "nglingapjinhecnfejdcpihlpneeadjp",
+        "comment": "OpenClaw Browser Relay | Category: malware | Type: malicious | Browser-control relay extension with local WebSocket/CDP automation - third-party depreciated package for openclaw. Added for enterprise blocklist - not as confirmed malware",
+        "distribution": "5",
+        "Tag": [
+          {
+            "name": "extsentry:category=\"malware\""
+          },
+          {
+            "name": "extsentry:type=\"malicious\""
+          }
+        ]
+      },
+      {
+        "uuid": "b1b797e3-c239-5fab-acb2-81729019cbff",
+        "type": "sha256",
+        "category": "Payload delivery",
+        "to_ids": true,
+        "value": "133df5ad1bd5f3c5444fc6bf15040b34372dd309d7481be708ae6445c3a20c6f",
+        "comment": "CRX file hash for OpenClaw Browser Relay (nglingapjinhecnfejdcpihlpneeadjp)",
+        "distribution": "5",
+        "Tag": [
+          {
+            "name": "extsentry:category=\"malware\""
+          },
+          {
+            "name": "extsentry:type=\"malicious\""
+          }
+        ]
+      },
       {
         "uuid": "29bf0cc7-d0c4-590a-aa90-17e47e6ff02d",
         "type": "text",
@@ -32108,6 +32142,58 @@
       }
     ],
     "Object": [
+      {
+        "uuid": "daf46dee-21fe-5199-b2d4-cf680a33455f",
+        "name": "annotation",
+        "meta-category": "misc",
+        "description": "Suspicious/Malicious browser extension: OpenClaw Browser Relay",
+        "template_uuid": "e434b304-a905-53fb-b7df-1d552e338795",
+        "template_version": "1",
+        "Attribute": [
+          {
+            "object_relation": "text",
+            "type": "text",
+            "value": "nglingapjinhecnfejdcpihlpneeadjp",
+            "comment": "Browser Extension ID",
+            "to_ids": false
+          },
+          {
+            "object_relation": "text",
+            "type": "text",
+            "value": "OpenClaw Browser Relay",
+            "comment": "Extension Name",
+            "to_ids": false
+          },
+          {
+            "object_relation": "text",
+            "type": "text",
+            "value": "malware",
+            "comment": "Threat Category",
+            "to_ids": false
+          },
+          {
+            "object_relation": "text",
+            "type": "text",
+            "value": "malicious",
+            "comment": "Threat Type",
+            "to_ids": false
+          },
+          {
+            "object_relation": "text",
+            "type": "sha256",
+            "value": "133df5ad1bd5f3c5444fc6bf15040b34372dd309d7481be708ae6445c3a20c6f",
+            "comment": "CRX File SHA-256",
+            "to_ids": true
+          },
+          {
+            "object_relation": "text",
+            "type": "link",
+            "value": "https://chromewebstore.google.com/detail/openclaw-browser-relay/nglingapjinhecnfejdcpihlpneeadjp",
+            "comment": "Reference URL",
+            "to_ids": false
+          }
+        ]
+      },
       {
         "uuid": "f089e386-fca0-5989-9c52-16c036681cbb",
         "name": "annotation",

feeds/ioc_malicious_extension_ids.txt

@@ -9,6 +9,7 @@
     "other"
   ],
   "list": [
+    "nglingapjinhecnfejdcpihlpneeadjp",
     "obifanppcpchlehkjipahhphbcbjekfa",
     "mdcfennpfgkngnibjbpnpaafcjnhcjno",
     "mmecpiobcdbjkaijljohghhpfgngpjmk",