chore: update feeds 2026-04-24

Author: github-actions[bot]

browser_extensions_list.csv

@@ -1,4 +1,5 @@
 browser_extension,browser_extension_id_wildcard,browser_extension_id,metadata_category,metadata_type,metadata_link,metadata_comment,crx_file_sha256
+Sinceerly,*lhokehflammomchbkmpohfeidffnlpmo*,lhokehflammomchbkmpohfeidffnlpmo,malware,malicious,https://x.com/nix_eth/status/2047407665211728181,stealing api key and email text messages,
 NexShield Advanced Web Guardian,*cpcdkmjddocikjdkbbeiaafnpdbdafmi*,cpcdkmjddocikjdkbbeiaafnpdbdafmi,malware,malicious,https://github.com/mthcht/ThreatIntel-Reports/blob/f1ceede743e0791ea9f2af7988ab9fcfd4a38d56/Intel%20Reports/thehackernews_com/2026_01_crashfix-chrome-extension-delivers_html/content.txt#L696,,c46af9ae6ab0e7567573dbc950a8ffbe30ea848fac90cd15860045fe7640199c
 Context Extension,*omddlmnhcofjbnbflmjginpjjblphbgk*,omddlmnhcofjbnbflmjginpjjblphbgk,malware,malicious,https://x.com/i/status/2045960143209152981,Linked in public reporting to the Vercel third-party AI tool incident and a now-removed extension - Hunt with related OAuth IOC 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com,
 OpenClaw Browser Relay,*nglingapjinhecnfejdcpihlpneeadjp*,nglingapjinhecnfejdcpihlpneeadjp,malware,malicious,https://chromewebstore.google.com/detail/openclaw-browser-relay/nglingapjinhecnfejdcpihlpneeadjp,Browser-control relay extension with local WebSocket/CDP automation - third-party depreciated package for openclaw. Added for enterprise blocklist - not as confirmed malware,133df5ad1bd5f3c5444fc6bf15040b34372dd309d7481be708ae6445c3a20c6f

feeds/elastic_detection_rule.ndjson

@@ -1,12 +1,12 @@
 {
   "feed_name": "ExtSentry - Browser Extension Threat Intelligence",
   "feed_version": "1.0",
-  "generated": "2026-04-24T10:11:16Z",
+  "generated": "2026-04-24T11:43:56Z",
   "source": "https://github.com/mthcht/awesome-lists",
   "license": "TLP:CLEAR",
-  "total_indicators": 1880,
+  "total_indicators": 1881,
   "categories": {
-    "malware": 1670,
+    "malware": 1671,
     "PUP": 5,
     "compromised": 92,
     "cryptocurrency": 90,
@@ -18,6 +18,17 @@
     "PROXY/VPN": 5
   },
   "indicators": [
+    {
+      "extension_id": "lhokehflammomchbkmpohfeidffnlpmo",
+      "extension_name": "Sinceerly",
+      "wildcard_pattern": "*lhokehflammomchbkmpohfeidffnlpmo*",
+      "category": "malware",
+      "threat_type": "malicious",
+      "reference_url": "https://x.com/nix_eth/status/2047407665211728181",
+      "description": "stealing api key and email text messages",
+      "crx_sha256": null,
+      "chrome_webstore_url": "https://chromewebstore.google.com/detail/lhokehflammomchbkmpohfeidffnlpmo"
+    },
     {
       "extension_id": "cpcdkmjddocikjdkbbeiaafnpdbdafmi",
       "extension_name": "NexShield Advanced Web Guardian",

feeds/elastic_threat_intel.ndjson

@@ -1,4 +1,5 @@
 extension_id,extension_name,wildcard_pattern,category,threat_type,reference_url,description,chrome_webstore_url,severity,crx_sha256,first_seen,feed_source
+lhokehflammomchbkmpohfeidffnlpmo,Sinceerly,*lhokehflammomchbkmpohfeidffnlpmo*,malware,malicious,https://x.com/nix_eth/status/2047407665211728181,stealing api key and email text messages,https://chromewebstore.google.com/detail/lhokehflammomchbkmpohfeidffnlpmo,critical,,2026-04-24,ExtSentry (github.com/mthcht/awesome-lists)
 cpcdkmjddocikjdkbbeiaafnpdbdafmi,NexShield Advanced Web Guardian,*cpcdkmjddocikjdkbbeiaafnpdbdafmi*,malware,malicious,https://github.com/mthcht/ThreatIntel-Reports/blob/f1ceede743e0791ea9f2af7988ab9fcfd4a38d56/Intel%20Reports/thehackernews_com/2026_01_crashfix-chrome-extension-delivers_html/content.txt#L696,,https://chromewebstore.google.com/detail/cpcdkmjddocikjdkbbeiaafnpdbdafmi,critical,c46af9ae6ab0e7567573dbc950a8ffbe30ea848fac90cd15860045fe7640199c,2026-04-24,ExtSentry (github.com/mthcht/awesome-lists)
 omddlmnhcofjbnbflmjginpjjblphbgk,Context Extension,*omddlmnhcofjbnbflmjginpjjblphbgk*,malware,malicious,https://x.com/i/status/2045960143209152981,Linked in public reporting to the Vercel third-party AI tool incident and a now-removed extension - Hunt with related OAuth IOC 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com,https://chromewebstore.google.com/detail/omddlmnhcofjbnbflmjginpjjblphbgk,critical,,2026-04-24,ExtSentry (github.com/mthcht/awesome-lists)
 nglingapjinhecnfejdcpihlpneeadjp,OpenClaw Browser Relay,*nglingapjinhecnfejdcpihlpneeadjp*,malware,malicious,https://chromewebstore.google.com/detail/openclaw-browser-relay/nglingapjinhecnfejdcpihlpneeadjp,Browser-control relay extension with local WebSocket/CDP automation - third-party depreciated package for openclaw. Added for enterprise blocklist - not as confirmed malware,https://chromewebstore.google.com/detail/nglingapjinhecnfejdcpihlpneeadjp,critical,133df5ad1bd5f3c5444fc6bf15040b34372dd309d7481be708ae6445c3a20c6f,2026-04-24,ExtSentry (github.com/mthcht/awesome-lists)

feeds/extsentry_feed.json

@@ -1,3 +1,4 @@
+lhokehflammomchbkmpohfeidffnlpmo
 cpcdkmjddocikjdkbbeiaafnpdbdafmi
 omddlmnhcofjbnbflmjginpjjblphbgk
 nglingapjinhecnfejdcpihlpneeadjp

feeds/extsentry_ioc_feed.csv

@@ -1,3 +1,4 @@
+lhokehflammomchbkmpohfeidffnlpmo
 cpcdkmjddocikjdkbbeiaafnpdbdafmi
 omddlmnhcofjbnbflmjginpjjblphbgk
 nglingapjinhecnfejdcpihlpneeadjp

feeds/ioc_all_extension_ids.txt

@@ -5,7 +5,7 @@
     "analysis": "2",
     "distribution": "3",
     "date": "2026-04-24",
-    "timestamp": "1777025477",
+    "timestamp": "1777031037",
     "published": false,
     "uuid": "41ef2090-fab5-547e-9eb6-2aa8f195c66f",
     "Orgc": {
@@ -27,6 +27,23 @@
       }
     ],
     "Attribute": [
+      {
+        "uuid": "6106685a-9ac1-5a0d-ad9a-d82a1141d895",
+        "type": "text",
+        "category": "Other",
+        "to_ids": false,
+        "value": "lhokehflammomchbkmpohfeidffnlpmo",
+        "comment": "Sinceerly | Category: malware | Type: malicious | stealing api key and email text messages",
+        "distribution": "5",
+        "Tag": [
+          {
+            "name": "extsentry:category=\"malware\""
+          },
+          {
+            "name": "extsentry:type=\"malicious\""
+          }
+        ]
+      },
       {
         "uuid": "9b054d03-2042-5067-adcf-94138479a22b",
         "type": "text",
@@ -32142,6 +32159,51 @@
       }
     ],
     "Object": [
+      {
+        "uuid": "34134e2c-b22a-5ea7-a73f-c25a9c6f1653",
+        "name": "annotation",
+        "meta-category": "misc",
+        "description": "Suspicious/Malicious browser extension: Sinceerly",
+        "template_uuid": "e434b304-a905-53fb-b7df-1d552e338795",
+        "template_version": "1",
+        "Attribute": [
+          {
+            "object_relation": "text",
+            "type": "text",
+            "value": "lhokehflammomchbkmpohfeidffnlpmo",
+            "comment": "Browser Extension ID",
+            "to_ids": false
+          },
+          {
+            "object_relation": "text",
+            "type": "text",
+            "value": "Sinceerly",
+            "comment": "Extension Name",
+            "to_ids": false
+          },
+          {
+            "object_relation": "text",
+            "type": "text",
+            "value": "malware",
+            "comment": "Threat Category",
+            "to_ids": false
+          },
+          {
+            "object_relation": "text",
+            "type": "text",
+            "value": "malicious",
+            "comment": "Threat Type",
+            "to_ids": false
+          },
+          {
+            "object_relation": "text",
+            "type": "link",
+            "value": "https://x.com/nix_eth/status/2047407665211728181",
+            "comment": "Reference URL",
+            "to_ids": false
+          }
+        ]
+      },
       {
         "uuid": "a2e1d604-807c-521d-9501-f2e9f0688990",
         "name": "annotation",

feeds/ioc_malicious_extension_ids.txt

@@ -9,6 +9,7 @@
     "other"
   ],
   "list": [
+    "lhokehflammomchbkmpohfeidffnlpmo",
     "cpcdkmjddocikjdkbbeiaafnpdbdafmi",
     "omddlmnhcofjbnbflmjginpjjblphbgk",
     "nglingapjinhecnfejdcpihlpneeadjp",