Community Β· Open Β· Free
Nehboro logo

The browser shield
your grandma deserves

Nehboro is a community-powered browser extension with 97 dynamic heuristic detections, static IOC feeds, and optional Claude AI analysis. It catches ClickFix, phishing, tech support scams, and malware delivery patterns - so you don't have to explain what a "PowerShell window" is at family dinner.

⬇ Install Extension
πŸ”¬ 97 heuristic detections πŸ€– Optional Claude AI πŸ”‡ Silent mode for non-technical users 🌍 6 languages
Three engines working together

Layered protection, transparently

The dynamic heuristic engine is the heart of Nehboro. Static feeds add speed for known-bad infrastructure, and Claude AI provides a final layer of judgement for ambiguous cases.

πŸ”¬

Dynamic Heuristic

97 detections scan every page after load: ClickFix sequences, fake CAPTCHAs, clipboard hijacks, PowerShell delivery, visual brand impersonation, multilingual scam patterns, credit card skimmers, and more. Catches brand-new threats not in any feed yet.

Main engine
⚑

Static IOC Feeds

Focused on known scam and phishing domains, URLs, IPs, and ports - blocked before page load via declarativeNetRequest rules. Chrome caps the number of static rules per extension, so this engine is a supplementary layer.

Supplementary
πŸ€–

Claude AI Analysis

Bring your own Anthropic API key to enable a third engine. On manual scan, page metadata (URL, title, forms, scripts) is sent to Claude for deep threat assessment. Choose from Sonnet, Haiku, or Opus.

Optional
What Nehboro catches

97 detections across 12 categories

Every detection is open source, individually scored, and can be tuned or disabled from the extension popup. Scores combine into a page verdict (warn at 45, block at 79).

How scoring works. Each detection contributes points when it fires. A page accumulates score across detections and combo bonuses. Above 45 shows a warning banner; above 79 blocks the page entirely. Above 110 triggers an automatic community report.
🎯17
ClickFix family
Full Win+R β†’ Ctrl+V β†’ Enter sequences, Win+X terminal variants, macOS Spotlight+Terminal, multilingual pretexts (driver updates, missing fonts, BSOD recovery, mic access, shared files), FileFix via File Explorer address bar, fake Cloudflare/CAPTCHA verification IDs.
🎣20
Phishing & credential theft
Brand impersonation, lookalike domains, typosquats, punycode/IDN homograph attacks, browser-in-the-browser (BitB) fake URL bars, form exfiltration, formjacking, visual phishing, insecure HTTP login forms, DocuSign-style device code phishing.
πŸ†˜13
Tech support scams
Fake Windows Defender alerts, fake error codes with support phone numbers, fake OS UI overlays, browser lock attempts, print/fullscreen/notification loops, data theft scare tactics, IP geolocation intimidation, antivirus dismissal pretexts.
🦠25
Malware patterns
Verified base64 payloads (actual atob decode + signal analysis), obfuscation, dynamic eval, keylogger patterns, credit card skimmers (enhanced payment field detection), crypto wallet address swaps, formjacking, LOLBin commands, PowerShell delivery, suspicious TLDs.
🧠27
Social engineering
Urgency & countdown timers, fake social proof, fake browser updates, fake software downloads, fake meeting prompts, notification permission spam, dialog spam, history API loops preventing back navigation, history/URL creation loops.
πŸ‘οΈ4
Visual analysis
Brand color matching against known brands (Microsoft, Google, Apple, banks), favicon fingerprinting for typosquat detection, logo detection on non-official domains, login form layout analysis.
🌍5
Multilingual coverage
Scam text patterns in English, French, Spanish, Portuguese, German, and Italian. Catches regional ClickFix campaigns ("Copiar soluciΓ³n", "Para provar que nΓ£o Γ© um robΓ΄", "FenΓͺtre du terminal", etc.) that English-only tools miss.
πŸ”—8
Combo bonuses
Extra score for threat combinations: clipboard hijack + instructions, fake CAPTCHA + execution steps, full scam kit signals, visual impersonation + login form, crypto phishing on lookalike domains, PowerShell + clipboard, LOLBin + instructions.
Live threat feeds

Community IOCs, openly browsable

Plain CSV files served from nehboro.github.io/feeds/ with support for wildcards, CIDR ranges, and port ranges.

Supplementary engine. These feeds are focused on confirmed scam and phishing infrastructure. Chrome limits the number of static blocking rules per extension, so the feeds are intentionally curated rather than exhaustive. The dynamic heuristic engine inside Nehboro handles everything else - catching threats the moment they appear, before they ever make it into any feed.
🌐
domains.csv
Scam & phishing domains
...
⬇ Download
πŸ”—
urls.csv
Malicious URL patterns
...
⬇ Download
πŸ–₯️
ips.csv
IPs, CIDR, wildcards
...
⬇ Download
πŸ”Œ
ports.csv
Suspicious ports & ranges
...
⬇ Download
-

Loading...
Feed format reference
FileAcceptsExamples
domains.csvDomains, wildcardsevil.com Β· *.evil.com Β· pay*.net
urls.csvFull URLs, wildcardshttps://evil.com/x.ps1 Β· *://evil.*/gate.php
ips.csvIPs, CIDR, wildcards1.2.3.4 Β· 10.0.0.0/24 Β· 192.168.*.*
ports.csvPorts and ranges4444 Β· 8080-8085 Β· 1337

All files support plain text, CSV, JSON arrays, and hosts-file format. Lines starting with # are comments. Feeds refresh every six hours in the extension.

πŸ”¬ Live now

URL Scanner

Paste any suspicious URL and Nehboro will run its static detections against the page source. Because the scanner has no backend, it only catches threats visible in the raw HTML/JavaScript β€” runtime checks like clipboard hijacks, print loops, or notification spam require the browser extension. Fully client-side, no signup, engine loaded from cdn.jsdelivr.net.

Opens the full scanner at /scan/ with your URL pre-filled.

How it works

Up and running in minutes

Load once, protect continuously. The interface stays simple while the detection logic stays opinionated.

1

Install the extension

Coming soon on the Chrome Web Store. For now, download from GitHub Releases and load unpacked from chrome://extensions.

2

Feeds auto-refresh

The four IOC feeds fetch from nehboro.github.io/feeds/ on install and every six hours. Blocking rules update automatically.

3

Every page gets scored

Content scripts run 97 detections on every page load. Scores above 45 warn, above 79 block, above 110 auto-report. All thresholds are configurable.

4

(Optional) Add Claude AI

Paste your Anthropic API key in the Config tab to enable deep AI analysis. Pick Sonnet, Haiku, or Opus. No data leaves your browser unless you trigger it.

5

πŸ”‡ Enable Silent Mode (grandma-proof)

For non-technical users: toggle silent mode and Nehboro protects invisibly. No banners, no popups, no blocked pages - just a silently-closed tab replaced with a blank one when a threat is caught.

6

Report threats back

Use the Report button on the warning banner or blocked page. Evidence is sent to the Nehboro community reports page where everyone can browse what's been seen in the wild.

# 1. Load unpacked from chrome://extensions
chrome://extensions β†’ Developer mode β†’ Load unpacked β†’ nehboro/
 
# 2. (Optional) Add your Claude API key
Nehboro popup β†’ Config tab β†’ Paste sk-ant-...
 
# 3. Reports are sent to nehboro.github.io/reports/
Default topic: ntfy.sh/nehboro-reports
 
# 4. (Optional) Enable Silent Mode for non-technical users
Config tab β†’ Enable Silent Mode β˜‘