AI Security Analysis: WakaTime

Analysis generated: 2025-12-11T20:45:35+13:00
Model: gemini-3-pro-preview

Quick Facts

AI Analysis

Executive Summary

The WakaTime extension (Version: unknown, UUID: 0f2ecf6a-ebac-50c8-9839-74959cd0b4b2) presents a CRITICAL security risk to the organization. The extension triggers multiple high-severity malware signatures indicating capabilities for system persistence, registry modification, and arbitrary command execution—behaviors typically outside the scope of a legitimate browser extension. Furthermore, the "Unverified Publisher" status combined with a suspiciously low user count (881) strongly suggests this may be a malicious imposter application or a compromised build rather than the legitimate WakaTime tool. Immediate removal is recommended.

Threat Assessment

The security posture of this extension is highly compromised. The analysis indicates a high probability of malicious intent or severe architectural flaws that expose the user to system-level compromise.

• Imposter/Supply Chain Risk: The legitimate WakaTime service is popular; however, a user count of only 881 and an "Unverified Publisher" status are significant red flags. This profile fits the pattern of "typosquatting" or malicious repackaging, where attackers upload fake versions of popular tools to capture API keys or deploy malware.
• System Integrity Threats: The presence of postinstall_registry_modification, postinstall_persistence_mechanism, and postinstall_system_command signatures is alarming. Standard WebExtensions operate within a sandbox; these findings suggest the extension may be attempting to break out of the browser sandbox, potentially via a bundled Native Messaging host or a "dropper" script intended to install additional payloads.
• Data Exfiltration: The combination of postinstall_network_communication and postinstall_file_download suggests the capability to download second-stage malware or exfiltrate sensitive data (source code metadata, API keys) to unauthorized external servers.
• Obfuscation: The postinstall_obfuscation and PM_Zip_with_js findings indicate attempts to hide code logic from static analysis, a tactic rarely used by legitimate open-source extensions but common in malware.

Risk Justification

Risk Score: 100.0/100 (CRITICAL)

This score is fully justified and potentially conservative given the findings:

1. Malware Signatures: 82 HIGH severity findings are present, specifically targeting system persistence and registry manipulation.
2. Trust Deficit: The Trust Score is 0/100. The lack of publisher verification removes accountability.
3. Capability Scope: The detected capabilities (system commands, registry edits) far exceed the principle of least privilege required for a time-tracking extension.
4. Volume of IOCs: Over 5,000 Indicators of Compromise (IOCs) suggests the extension contains a massive amount of flagged code or communicates with known suspicious infrastructure.

Key Findings

• System Persistence & Modification:
  • postinstall_registry_modification: Indicates attempts to write to the Windows Registry, potentially to alter system settings or disable security features.
  • postinstall_persistence_mechanism: Suggests code designed to ensure the malware survives system reboots.
• Arbitrary Code Execution:
  • postinstall_system_command: The extension contains logic to execute shell commands on the host OS.
  • PM_Zip_with_js: A common evasion technique where malicious JavaScript is hidden inside ZIP archives to bypass basic file scanners.
• Credential Theft Risks:
  • credential_env_files: The scanner detected patterns associated with scraping or reading .env files, which typically contain secrets and API keys.
• Vulnerabilities:
  • SQLInjection: Code patterns suggest vulnerability to SQL injection, which could be exploited if the extension interacts with a local database.

Recommendations

1. Immediate Removal: Uninstall this extension from all browsers immediately.
2. Blocklist Implementation: Add the UUID (0f2ecf6a-ebac-50c8-9839-74959cd0b4b2) to the organization's browser management policy blocklist.
3. Credential Rotation: Any WakaTime API keys or other secrets (like environment variables) present on machines running this extension should be considered compromised and rotated immediately.
4. Endpoint Scan: Run a full EDR/Antivirus scan on any endpoint where this extension was installed, specifically looking for persistence mechanisms (scheduled tasks, registry run keys).
5. Verify Official Source: If WakaTime functionality is required, ensure users install only from the official Mozilla Add-ons store link provided directly on the WakaTime website, and verify the publisher has a high user count (typically 10k+) and verified status.

Mitigation Strategies

Note: Given the Risk Score of 100, mitigation is not recommended; removal is the only safe option. However, if analysis of the artifact is required in a sandbox:

1. Sandboxed Environment: Only run this extension in an ephemeral, non-networked Virtual Machine or a containerized browser instance that is destroyed after use.
2. Network Isolation: Block all outbound traffic from the browser except to known, allow-listed domains (if testing functionality).
3. File System Restrictions: Use strict AppArmor/SELinux profiles to prevent the browser process from reading .env files or executing shell commands.

Confidence Assessment

Confidence Level: 80%

• Supporting Factors: The sheer volume of specific YARA matches (Registry, Persistence, System Command) combined with the metadata (Unverified, Low Users) creates a very strong composite picture of a malicious tool.
• Limiting Factors: "Postinstall" scripts are common in legitimate npm packages. If this extension bundles a full node environment or CLI tool (which WakaTime sometimes does for IDEs), some of these signatures could be false positives triggering on legitimate installation scripts. However, a browser extension should generally not be triggering registry modification rules. The "Unverified" status tips the scale toward malicious intent.

Disclaimer

This analysis was generated by an AI model and should be reviewed by security professionals. The findings are based on automated security scanning and may include false positives. Always verify critical findings manually before taking action.