A Chrome extension that automatically detects, highlights, and provides security information for IP addresses, domains, and file hashes on any webpage using the VirusTotal API.
While VirusTotal offers an official browser extension (VT4Browsers), this extension provides several key advantages:
- Smart Caching System: Clean indicators cached for 7 days, suspicious/malicious for 24 hours
- Persistent Storage: Cache data, even after restarts, reducing API calls
- On-Demand Lookups: Only fetches data when you hover, not on every page load
- Non-Blocking: Asynchronous processing doesn't slow down page loading
- Result: Uses significantly fewer API lookups compared to VT4Browsers' automatic enrichment
- Automatic Detection: No manual selection required - instantly highlights all IoCs on page
- Indicator Types: Detects IPs, domains, MD5, SHA1, and SHA256 hashes simultaneously
- Clean Interface: Simple toggle to enable/disable highlighting - no complex settings
- Visual Feedback: Color-coded underlines (green/yellow/red) show threat level at a glance
- Tooltips: Hover for detailed information without leaving the page
- Local-First: All caching done locally in your browser
- No Telemetry: No analytics or tracking
- Your API Key: Stored encrypted locally, never transmitted except to VirusTotal
VT4Browsers with free API key (4 requests/min):
- Automatic enrichment can quickly exhaust your quota
- Requires manual site/domain whitelisting to control API usage
- Consumes 1 API lookup per enriched IoC
This Extension:
- Only uses API when you hover over an indicator
- 7-day cache for clean results = 1 lookup serves hundreds of pageviews
- Smart cache expiration based on threat level
- Persistent cache across sessions
- VT4Browsers: Complex settings for highlighting vs enrichment, site whitelisting, per-domain rules
- This Extension: Just add your API key and go - everything else is automatic
- Multi-Indicator Detection: Automatically scans webpages for:
- IPv4 and IPv6 addresses
- Domain names
- File hashes (MD5, SHA1, SHA256)
- Smart Highlighting: Color-coded underlines indicate threat reputation
- Green: Clean (no threats detected)
- Yellow: Suspicious (some vendors flagged)
- Red: Malicious (confirmed threats)
- Rich Hover Tooltips: Detailed security information based on indicator type
- IPs: Country, Network Owner, ASN, Detection score
- Domains: Category, Last Updated, Detection score
- Hashes: File Name, File Type, Detection score
- Direct link to full VirusTotal report
- Quick Actions:
Alt+Clickto copy indicator to clipboard- Simple toggle button in popup to enable/disable highlighting
- Badge Counter: Shows total number of indicators detected on current page
- Intelligent Caching System:
- Clean indicators cached for 7 days (minimal API usage)
- Suspicious/malicious indicators cached for 24 hours (stay current)
- Persistent storage survives browser restarts
- Separate caches for IPs, domains, and hashes
- Privacy-Focused: Your API key encrypted locally, no telemetry or tracking
- Download or clone this repository
- Open your browser and navigate to the extensions page:
- Chrome/Edge:
chrome://extensions/oredge://extensions/ - Enable "Developer mode"
- Chrome/Edge:
- Click "Load unpacked" and select the extension folder
- Get your free VirusTotal API key from virustotal.com
- Click the extension icon, go to Settings, and enter your API key
- Sign up at virustotal.com
- Go to your profile settings
- Copy your API key
- Click the VirusTotal Add-on extension icon
- Click "Settings" or right-click the extension and select "Options"
- Paste your VirusTotal API key
- Click "Save API Key"
The extension will validate your key and store it securely in Chrome's encrypted storage.
Once configured:
- Visit any webpage
- Indicators (IPs, domains, hashes) will be automatically highlighted
- Hover over any indicator to see security information
- Alt+Click to copy an indicator value
- Click the extension icon and toggle highlighting on/off as needed
VirusTotal Add-on/
├── manifest.json # Extension configuration
├── content.js # Indicator detection and highlighting
├── background.js # API communication worker
├── popup.html # Extension popup UI
├── popup.js # Popup logic and controls
├── styles.css # UI styling
├── options.html # Settings page
├── options.js # Settings logic
└── icons/ # Extension icons
- API Key Storage: Encrypted and stored locally using Chrome's sync storage
- XSS Protection: All external data is sanitised before display
- Content Security Policy: Prevents inline script injection
- No Tracking: No analytics or data collection
- Local Caching: API responses stored only in your browser
- See PRIVACY_POLICY.md for complete details
- activeTab: Required to scan webpages for IP addresses
- storage: Required to store API key and cache lookup results
- Host permissions: Required to inject highlighting functionality
VirusTotal's free tier has rate limits (4 requests/minute). This extension is designed to work efficiently within these limits:
- On-Demand Only: Data fetched only when you hover over an indicator (not automatically)
- Caching: Clean results cached for 7 days = 1 API call serves potentially hundreds of views
- Expiration: Malicious/suspicious results cached for 24 hours to stay current
- Persistence: Survives browser restarts - cached data available across sessions
- Errors: Clear messages when rate limits are reached
- Verify your API key is entered in settings
- Check the browser console for errors (F12)
- Ensure you're not on a restricted page (chrome://, etc.)
- Try refreshing the page
- Private IPs (10.x.x.x, 192.168.x.x, etc.) are intentionally filtered
- Common file extensions (jpg, png, etc.) are excluded from domain detection
- Check if highlighting is enabled using the toggle in the popup
- Ensure the indicator format is valid (valid IP, domain, or hash)
MIT License - feel free to modify and distribute
Contributions are welcome! Feel free to:
- Report bugs
- Suggest features
- Submit pull requests
- Improve documentation
If you encounter issues:
- Check the Troubleshooting section above
- Review browser console for error messages
- Verify your VirusTotal API key is valid
- Ensure you're within API rate limits (4 requests/min for free tier)