Ahtapot is a Chrome extension for fast and secure IOC (Indicator of Compromise) analysis with multiple threat intelligence providers. It provides cybersecurity analysts with a convenient way to analyze security indicators directly from their browser.
- Version: 2.4.0
- Tech Stack: React 18 + TypeScript + Vite 5
- Extension Type: Chrome Manifest V3
- License: MIT
- Primary Language: TypeScript with English/Turkish i18n support
Ahtapot enables security analysts to:
- Select any text on a webpage containing IOCs
- Automatically detect various IOC types (IPs, domains, hashes, URLs, etc.)
- Query multiple threat intelligence providers simultaneously
- View consolidated analysis results in a side panel
ahtapot/
├── src/
│ ├── background/ # Service worker (API orchestration)
│ ├── content/ # Content scripts (IOC detection on pages)
│ ├── pages/ # Extension UI pages
│ │ ├── popup/ # Extension popup menu
│ │ ├── sidepanel/ # Main results display panel
│ │ └── options/ # Settings and API key management
│ ├── components/ # React components
│ │ └── results/ # Provider-specific result cards
│ ├── services/ # API integration layer
│ │ ├── base/ # Base service interfaces
│ │ └── tools/ # Provider implementations
│ ├── types/ # TypeScript type definitions
│ ├── utils/ # Utility functions
│ ├── i18n/ # Internationalization (EN/TR)
│ ├── config/ # Configuration files
│ └── manifest.json # Chrome extension manifest
├── public/ # Static assets (icons, logos)
├── dist/ # Build output (gitignored)
└── docs/ # Documentation
Ahtapot follows Chrome Extension Manifest V3 architecture:
-
Background Service Worker (
src/background/service-worker.ts)- Orchestrates API calls to threat intelligence providers
- Manages API keys securely
- Handles message passing between extension components
- Initializes context menus
-
Content Scripts (
src/content/content-script.tsx)- Injected into all web pages
- Displays floating "Analyze" button on text selection
- Detects IOCs in selected text
- Communicates with background worker
-
Side Panel (
src/pages/sidepanel/)- Main UI for displaying analysis results
- Tab-based interface for each provider
- Shows IOC detection results and threat assessments
-
Options Page (
src/pages/options/)- API key management (add/test/save/remove)
- General settings (language, cache retention)
- Live API key validation
-
Popup (
src/pages/popup/)- Quick access menu
- Links to settings and main functionality
File: src/utils/ioc-detector.ts
The extension automatically detects these IOC types:
| IOC Type | Examples | Pattern |
|---|---|---|
| IPv4 | 192.168.1.1 |
Validates 0-255 range |
| IPv6 | 2001:0db8:85a3::8a2e:0370:7334 |
Full/compressed notation |
| Domain | example.com |
Valid TLD required |
| URL | https://example.com/path |
HTTP/HTTPS |
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
32 hex chars |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
40 hex chars |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
64 hex chars |
user@example.com |
RFC 5322 compliant | |
| CVE | CVE-2021-44228 |
CVE-YYYY-NNNNN |
| Bitcoin | 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa |
Base58/Bech32 |
| Ethereum | 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb |
0x + 40 hex |
Detection Algorithm:
- O(n) complexity with position-based deduplication
- Priority-based pattern matching (more specific patterns first)
- Prevents duplicate detection (e.g., URL containing a domain)
- Smart overlap detection using sorted ranges
Pattern: Strategy Pattern + Service Registry
Base Interface: src/services/base/BaseToolService.ts
All provider services implement IToolService:
interface IToolService {
name: string;
supportedIOCTypes: IOCType[];
isConfigured(): boolean;
supports(iocType: IOCType): boolean;
analyze(ioc: DetectedIOC): Promise<IOCAnalysisResult>;
analyzeBatch?(iocs: DetectedIOC[]): Promise<IOCAnalysisResult[]>;
}Service Registry: src/services/ServiceRegistry.ts
- Centralized management of all provider services
- Lazy initialization (services created only when needed)
- Automatic API key injection
- ARIN service always available (no API key required)
Current Providers (as of v2.4.0):
| Provider | Purpose | Rate Limit | Requires API Key |
|---|---|---|---|
| VirusTotal | Malware & URL scanning | 4 req/min | Yes |
| OTX AlienVault | Threat intelligence | 10,000 req/day | Yes |
| AbuseIPDB | IP reputation | 1,000 req/day | Yes |
| MalwareBazaar | Malware hash database | Unlimited | No |
| ARIN | IP WHOIS | 15 req/min | No |
| Shodan | Device search | 100 results/month | Yes (with confirmation) |
| GreyNoise | Internet noise detection | 50 searches/week | Yes (with confirmation) |
| URLhaus | Malicious URL database | Unlimited | Yes (optional) |
| IBM X-Force | Enterprise threat intel | 5,000 req/month | Yes |
| Pulsedive | IOC enrichment | 250 req/day | Yes |
| Scamalytics | IP fraud detection | 5,000 req/month | Yes |
Note: Providers marked "with confirmation" require user approval before consuming rate-limited quota.
Smart Provider Matching: Each provider only supports certain IOC types. The extension:
- Detects which providers support each IOC type
- Displays support badges in the UI
- Only queries compatible providers
- Shows informative messages when providers don't support an IOC type
See src/utils/providerMappings.ts for provider name mappings.
-
Strict Mode: Enabled (
tsconfig.json)strict: truenoUnusedLocals: truenoUnusedParameters: truenoFallthroughCasesInSwitch: true
-
Path Aliases: Use
@/for absolute importsimport { IOCType } from '@/types/ioc'; import { detectIOCs } from '@/utils/ioc-detector';
-
Type Definitions:
- All types defined in
src/types/ - Each provider has its own type file (e.g.,
virustotal.ts) - Shared types in
ioc.tsandmessages.ts
- All types defined in
-
Service Implementation Pattern:
// All services extend BaseToolService export class NewProviderService extends BaseToolService { get name(): string { return 'ProviderName'; } get supportedIOCTypes(): IOCType[] { return [...]; } async analyze(ioc: DetectedIOC): Promise<IOCAnalysisResult> { if (!this.supports(ioc.type)) { return this.createUnsupportedResult(ioc); } // Implementation } }
-
Component Structure:
- React functional components with TypeScript
- Props interfaces defined inline or in separate types file
- Use React hooks (useState, useEffect, etc.)
- Custom i18n hook:
useTranslation()
-
Message Passing (Chrome Extension):
// All messages follow ExtensionMessage interface interface ExtensionMessage { type: MessageType; payload?: any; } // Send message from content script to background chrome.runtime.sendMessage({ type: MessageType.ANALYZE_IOC, payload: { iocs } });
-
Files:
- React components:
PascalCase.tsx - Services:
PascalCaseService.ts - Utils/helpers:
kebab-case.ts - Types:
lowercase.ts
- React components:
-
Variables/Functions:
camelCasefor variables and functionsPascalCasefor classes and React componentsUPPER_SNAKE_CASEfor constants
-
Enums:
PascalCasefor enum namesSCREAMING_SNAKE_CASEfor enum values
export enum IOCType { IPV4 = 'ipv4', DOMAIN = 'domain', }
-
Branching:
- Feature branches:
claude/feature-description-{sessionId} - Main branch for stable releases
- Feature branches:
-
Commit Messages:
- Follow conventional commits format
- Examples:
feat: add new provider integrationfix: resolve API key validation issuedocs: update README with new featuresrefactor: optimize IOC detection algorithm
-
Versioning (Semantic Versioning):
MAJOR.MINOR.PATCHformat- MAJOR: Breaking changes (e.g., removing a provider)
- MINOR: New features (e.g., adding a provider)
- PATCH: Bug fixes and improvements
- See
docs/VERSIONING.mdfor details
# Install dependencies
npm install
# Development mode (with hot reload)
npm run dev
# Type checking (without build)
npm run type-check
# Production build
npm run build
# Load extension in Chrome
# 1. Open chrome://extensions
# 2. Enable "Developer mode"
# 3. Click "Load unpacked"
# 4. Select the 'dist' folderVite Configuration (vite.config.ts):
- Uses
vite-plugin-web-extensionfor Chrome extension support - Path alias:
@→./src - Multiple entry points:
src/pages/options/index.htmlsrc/pages/sidepanel/index.htmlsrc/pages/popup/index.html
- Build output:
dist/
Step-by-step guide:
-
Create Type Definition (
src/types/newprovider.ts):export interface NewProviderResponse { // Define API response structure }
-
Create Service (
src/services/tools/NewProviderService.ts):import { BaseToolService } from '../base/BaseToolService'; export class NewProviderService extends BaseToolService { get name(): string { return 'NewProvider'; } get supportedIOCTypes(): IOCType[] { return [IOCType.IPV4, IOCType.DOMAIN]; } async analyze(ioc: DetectedIOC): Promise<IOCAnalysisResult> { // Implementation } }
-
Register in ServiceRegistry (
src/services/ServiceRegistry.ts):- Add to
APIProviderenum insrc/types/ioc.ts - Import service class
- Add case in
initializeService()switch statement
- Add to
-
Add Provider Mapping (
src/utils/providerMappings.ts):export const SERVICE_NAME_TO_PROVIDER: Record<string, APIProvider> = { // ... 'NewProvider': APIProvider.NEWPROVIDER, };
-
Create Result Card Component (
src/components/results/NewProviderResultCard.tsx):- Display provider-specific analysis results
- Follow existing card patterns
- Support both light and dark modes
-
Update i18n (
src/i18n/locales/en/and/tr/):- Add translations in
results.json - Include provider name, descriptions, error messages
- Add translations in
-
Update Manifest (
src/manifest.json):- Add host permission if needed:
"host_permissions": [ "https://api.newprovider.com/*" ]
- Add host permission if needed:
-
Test:
- Test API integration
- Verify IOC type support
- Check UI rendering
- Test error handling
Environment Variables (src/utils/devApiKeys.ts):
- Development API keys can be stored for testing
- Only initialized in development mode
- Never committed to repository
Chrome Extension Debugging:
- Background worker:
chrome://extensions→ "Inspect views: service worker" - Side panel: Right-click panel → "Inspect"
- Content script: Regular page DevTools → check console
- Popup: Right-click extension icon → "Inspect popup"
| File | Purpose |
|---|---|
package.json |
Dependencies, scripts, project metadata |
tsconfig.json |
TypeScript compiler configuration |
vite.config.ts |
Build system configuration |
src/manifest.json |
Chrome extension manifest (V3) |
src/i18n/config.ts |
i18n configuration |
| File | Purpose |
|---|---|
src/background/service-worker.ts |
Background orchestration, API calls |
src/content/content-script.tsx |
Page interaction, IOC detection trigger |
src/utils/ioc-detector.ts |
IOC pattern matching and detection |
src/services/ServiceRegistry.ts |
Provider service management |
src/services/api-service.ts |
API orchestration layer |
src/utils/apiKeyStorage.ts |
Secure API key storage |
src/utils/cacheManager.ts |
Result caching system |
| File | Purpose |
|---|---|
src/components/FloatingButton.tsx |
Text selection analyze button |
src/components/ProviderStatusBadges.tsx |
Provider support indicators |
src/components/results/*.tsx |
Provider-specific result cards |
| File | Purpose |
|---|---|
src/types/ioc.ts |
Core IOC and provider types |
src/types/messages.ts |
Chrome message passing types |
src/types/{provider}.ts |
Provider-specific API response types |
When adding features or providers:
-
IOC Detection:
- Test all supported IOC types
- Verify no false positives
- Check overlap handling (e.g., URL containing domain)
-
API Integration:
- Test with valid API keys
- Test with invalid/missing API keys
- Verify error handling
- Check rate limit protection (for Shodan/GreyNoise)
-
UI/UX:
- Test light and dark modes
- Verify responsive design
- Check all provider result cards
- Test i18n (English and Turkish)
-
Cache:
- Verify cache hits/misses
- Test cache expiration
- Check manual cache clearing
-
Cross-browser:
- Chrome (primary target)
- Edge (Chromium-based, should work)
- Other Chromium-based browsers
- Parallel Processing: IOCs are analyzed in parallel across providers
- Lazy Initialization: Services only created when needed
- Efficient Detection: O(n) IOC detection algorithm
- Caching: Configurable result caching (1-30 days)
protected async fetchWithTimeout(url: string, options: RequestInit = {}): Promise<Response> {
const controller = new AbortController();
const timeoutId = setTimeout(() => controller.abort(), this.config.timeout);
try {
const response = await fetch(url, {
...options,
signal: controller.signal,
});
clearTimeout(timeoutId);
return response;
} catch (error) {
clearTimeout(timeoutId);
if (error instanceof Error && error.name === 'AbortError') {
throw new Error(`Request timeout after ${this.config.timeout}ms`);
}
throw error;
}
}protected createErrorResult(ioc: DetectedIOC, error: Error | string): IOCAnalysisResult {
return {
ioc,
source: this.name,
status: 'error',
error: error instanceof Error ? error.message : error,
timestamp: Date.now(),
};
}protected determineStatus(malicious: number, suspicious: number, total: number): IOCAnalysisResult['status'] {
if (total === 0) return 'unknown';
if (malicious > 5) return 'malicious';
if (malicious > 0 || suspicious > 0) return 'suspicious';
return 'safe';
}// Sending a message
chrome.runtime.sendMessage({
type: MessageType.ANALYZE_IOC,
payload: { iocs }
}, (response) => {
if (response.success) {
// Handle success
}
});
// Receiving a message
chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {
if (message.type === MessageType.ANALYZE_IOC) {
handleAnalyzeIOC(message.payload.iocs)
.then(response => sendResponse({ success: true, ...response }))
.catch(error => sendResponse({ success: false, error: error.message }));
return true; // Required for async response
}
});src/i18n/
├── config.ts # i18next configuration
├── types.ts # i18n type definitions
├── hooks/
│ └── useTranslation.ts # Custom translation hook
└── locales/
├── en/ # English translations
│ ├── common.json
│ ├── ioc.json
│ ├── options.json
│ ├── popup.json
│ ├── results.json
│ ├── sidepanel.json
│ └── errors.json
└── tr/ # Turkish translations
└── (same structure)
import { useTranslation } from '@/i18n/hooks/useTranslation';
function MyComponent() {
const { t } = useTranslation();
return (
<div>
<h1>{t('common.title')}</h1>
<p>{t('results.virustotal.title')}</p>
</div>
);
}- Add key-value pairs to relevant JSON files in both
en/andtr/ - Use dot notation for nested keys:
category.subcategory.key - Keep consistent structure across languages
- Stored using Chrome Storage API (encrypted by Chrome)
- Never transmitted except to authorized provider APIs
- Can be removed at any time by user
- Configurable retention: 1-30 days (default: 7)
- Stored locally only
- Automatic cleanup
- Manual clear option
- User selects text → Content script detects IOCs
- Content script sends IOCs to background via messages
- Background worker makes secure HTTPS API calls
- Results returned to side panel for display
- No data sent to external servers (except provider APIs)
- All API requests use HTTPS only
- Content Security Policy compliant
- No analytics or telemetry
- No third-party tracking
- Open source for transparency
-
Extension not loading:
- Ensure
npm run buildcompleted successfully - Check
dist/folder exists - Verify manifest.json has no errors
- Check Chrome console for errors
- Ensure
-
API calls failing:
- Verify API key is correct
- Check provider rate limits
- Inspect network tab for HTTP errors
- Check background service worker console
-
IOC detection not working:
- Verify IOC format matches patterns
- Check content script is injected (
chrome://extensions→ inspect content script) - Test with known-good IOCs
-
Build errors:
- Clear
node_modulesand reinstall:rm -rf node_modules && npm install - Check TypeScript errors:
npm run type-check - Verify all dependencies are installed
- Clear
- Background Worker Console: Essential for debugging API calls
- React DevTools: Install extension for component debugging
- Chrome Storage Viewer: Check stored API keys and cache
- Network Tab: Monitor all API requests
- Chrome Extension Manifest V3
- React 18 Documentation
- TypeScript Handbook
- Vite Documentation
- i18next Documentation
README.md- User-facing documentationCHANGELOG.md- Version history and release notesdocs/VERSIONING.md- Versioning strategydocs/PRIVACY.md- Privacy policy (EN)docs/PRIVACY_TR.md- Privacy policy (TR)
- VirusTotal API
- OTX AlienVault API
- AbuseIPDB API
- MalwareBazaar API
- ARIN WHOIS
- Shodan API
- GreyNoise API
- URLhaus API
- IBM X-Force API
- Pulsedive API
- Scamalytics API
- Always check existing patterns before implementing new features
- Follow the service architecture when adding providers
- Update all relevant files (types, i18n, manifest, registry)
- Test thoroughly in both light and dark modes
- Update version numbers consistently across:
package.jsonmanifest.jsonREADME.mdversion badgeCHANGELOG.md
- No console.logs in production (except strategic logging)
- Always handle errors gracefully
- Provide informative error messages
- Use TypeScript strictly (no
anytypes unless absolutely necessary) - Write self-documenting code with clear variable names
- Add comments for complex logic
- Run
npm run type-checkto verify TypeScript - Run
npm run buildto ensure build succeeds - Test extension in Chrome
- Update CHANGELOG.md if adding features
- Verify all i18n keys are translated
- Check that version numbers are synchronized
- Service Registry: Single source of truth for all providers
- BaseToolService: Common functionality inherited by all services
- Provider Mappings: Centralized name-to-enum conversions
- Message Types: Unified message passing interface
The codebase is designed for easy extension:
- Adding providers: Follow the documented pattern
- Adding IOC types: Update enum and detection patterns
- Adding UI themes: CSS variables support customization
- Adding languages: Add locale folder and translations
Keep these areas maintainable:
- Type safety: Maintain strict TypeScript usage
- API compatibility: Monitor provider API changes
- Performance: Watch for cache size growth
- Security: Keep dependencies updated
- v2.4.0 (2025-11-13): Added URLhaus, X-Force, Pulsedive, Scamalytics
- v2.3.2 (2025-10-25): Enhanced UX with loading animations
- v2.3.1 (2025-10-25): Added Chrome Web Store rating button
- v2.3.0 (2025-10-21): Added GreyNoise with rate limit protection
- v2.2.0 (2025-10-19): Added Shodan and ARIN WHOIS
- v2.1.0 (2025-10-15): Added AbuseIPDB and MalwareBazaar
- v2.0.0 (2025-10-10): Major rewrite with OTX, i18n, enhanced UI
- v1.0.0 (2025-10-01): Initial release with VirusTotal
Last Updated: 2025-11-13 (v2.4.0)
This document should be updated whenever significant architectural changes are made to the codebase.