Browser extension for instant IOC lookups across 29 threat intelligence platforms.

Select any indicator of compromise on any web page - or highlight an entire paragraph from a threat report - and instantly extract and look up every IOC across multiple platforms. No copy-pasting between tabs.

1. Select any text on any web page
2. A popup appears with detected IOC(s) and relevant lookup services
3. Click any service to open the lookup, or view auto-check results inline

ThreatCheck handles defanged indicators (hxxps://evil[.]com, admin[at]evil[.]com), bare URLs without protocol, and bulk extraction with auto-deduplication from paragraphs.

When you select a URL, ThreatCheck automatically extracts both the full URL and the domain, letting you choose which to investigate.

Domain detection uses the complete IANA TLD list (1,285 TLDs) to avoid false positives.

Most services work as direct links with no configuration needed. For deeper enrichment, you can optionally configure API keys in the extension settings. When configured, results appear directly in the popup without opening external tabs.

• Auto-refanging - hxxps://evil[.]com and admin[at]evil[.]com are automatically converted to real IOCs
• Defang copy - one-click copy in safe format (. to [.], http to hxxp, @ to [at])
• Bulk extraction - select a paragraph, all IOCs are extracted and deduplicated in a checklist
• URL + domain splitting - selecting a URL shows both the full URL and extracted domain as choices
• Expandable context panels - click any score badge to see full details without leaving the page
• Copy list / Copy defanged - bulk panel lets you copy all selected IOCs raw or defanged
• Right-click context menu - "Look up on ThreatCheck" in the right-click menu
• Keyboard shortcut - Alt+T to trigger lookup on selected text
• Welcome page - guided setup on first install

1. Download or clone this repository
2. Open chrome://extensions (or edge://extensions)
3. Enable "Developer mode"
4. Click "Load unpacked"
5. Select the extension folder

publication in progress*

After installation, a welcome page guides you through setup. Most services work immediately with no configuration.

To enable API auto-enrichment:

1. Click the ThreatCheck icon in the toolbar
2. Click "Configure services & API keys"
3. Add your API keys for the services you want

Each service can be individually enabled or disabled.

• No data collection - ThreatCheck does not collect, store, or transmit any data
• No telemetry - no analytics, no tracking, no usage metrics
• No ads - no advertisements of any kind
• API keys stay local - keys are stored in your browser's local extension storage only
• API calls go direct - when you use API features, calls go directly from your browser to the service (VirusTotal, AbuseIPDB, etc.) with no intermediary

The only network requests ThreatCheck makes are the ones you explicitly trigger by selecting an IOC, and only to the services you have enabled.

The extension is built with vanilla JavaScript - no build step, no frameworks, no dependencies.

threatcheck/
  manifest.json       # MV3 extension manifest
  content.js          # IOC detection, popup UI, service registry
  background.js       # Service worker for API calls
  styles.css          # Popup and panel styles
  options.html/js     # Settings page
  popup.html/js       # Toolbar popup
  welcome.html        # Onboarding page
  icons/              # Extension icons

MIT

• GitHub
• Report a bug