DEV Community

Michael Harris
Michael Harris

Posted on

Is Waalaxy Safe on LinkedIn? I Read Its Extension's Source Code

Verdict up front: HIGH risk. Waalaxy is a Chrome extension that reads your LinkedIn cookie jar, uploads the session to its own cloud servers, and triggers LinkedIn's hardcoded extension-detection mechanics.

I unpacked Waalaxy's Chrome extension and analyzed the shipped source code. This teardown focuses strictly on the technical architecture and code paths: what leaves your browser, which LinkedIn-facing signals the extension creates, and why "safe daily limits" cannot bypass structural visibility.

What Waalaxy actually is (architecture)

Waalaxy belongs to the category of Type 2 cookie-bridge / session-upload extensions.

This definition is critical. It differentiates the tool from standalone local extensions or standard SaaS platforms. The extension runs inside your browser to extract session authentication data directly from Chrome's cookie store and hands it over to Waalaxy's infrastructure. From that point on, cloud workers can execute actions server-side on your behalf.

In the audited extension bundle, the primary cookie bridge resides in the Dku() function via chrome.cookies.getAll({url:"https://www.linkedin.com"}). The extension extracts session cookies like li_at and JSESSIONID, validates the cloud auth state, and transmits the entire cookie jar to stargate.prod.aws.waalaxy.com.

This is not a local script clicking elements in your active tab, nor is it a traditional SaaS where you log in manually. The browser extension acts as a data pipeline, exporting an active authenticated LinkedIn session to a third-party server.

Where your session goes

The following code block outlines the execution path identified during the audit. While simplified for clarity, it reflects the actual objects and endpoints used in the extension bundle:

async function Dku() {
  const jar = await chrome.cookies.getAll({
    url: "[https://www.linkedin.com](https://www.linkedin.com)"
  });

  const liAt = jar.find((cookie) => cookie.name === "li_at");
  const jsessionId = jar.find((cookie) => cookie.name === "JSESSIONID");

  return upsertCloudData({
    authDataFromExtension: {
      cookie: jar,
      isValid: Boolean(liAt && jsessionId)
    }
  });
}

// upsertCloudData POSTs the session state to:
// [https://stargate.prod.aws.waalaxy.com](https://stargate.prod.aws.waalaxy.com)

Enter fullscreen mode Exit fullscreen mode

The payload boundary reveals the core risk. The li_at cookie represents your active login session. Once compiled and sent to the vendor's servers, the platform can run automated LinkedIn operations from its cloud infrastructure, independent of whether your local browser remains open.

Simultaneously, the extension interacts directly with internal LinkedIn endpoints. The source code contains roughly 80 Voyager signals and 57 GraphQL signals, utilizing the internal Rest.li protocol header:

fetch("[https://www.linkedin.com/voyager/api/](https://www.linkedin.com/voyager/api/)...", {
  headers: {
    "x-restli-protocol-version": "2.0.0"
  },
  credentials: "include"
});

Enter fullscreen mode Exit fullscreen mode

The audit mapped several other active outbound data destinations:

  • otto.prod.aws.waalaxy.com: Handles cloud action-worker orchestration.
  • app.waalaxy.com and *-mystique.herokuapp.com: Wired via an externally_connectable channel supporting over 40 allowed remote origins.
  • api.2captcha.com, api.capsolver.com, and api.solvecaptcha.com: Integrations for automatic CAPTCHA solving.
  • api-js.mixpanel.com, cdn.mxpnl.com, mixpanel.com, and docs.sentry.io: Used for telemetry, analytics, and error tracking.

The extension bundle proves that the cookie jar is uploaded directly to stargate.prod.aws.waalaxy.com. Subsequent cloud-side operations happen outside the client code, making server-side processing a certainty.

What LinkedIn can see (detection surface)

Waalaxy's extension ID (hlkiignknimkfafapmgpbnbnmkajgljh) is included in LinkedIn's hardcoded Active Extension Detection (AED) routine. LinkedIn queries the extension asset path assets/16x16.png. As a result, the tool is visible at the DOM level on every page load, before any automation script triggers or daily caps are reached.

The AED check is just the baseline exposure. Waalaxy injects content scripts at document_end across LinkedIn, deploying 13 separate functional bundles that modify the sidebar, feed-import buttons, sales-import modals, and messaging interfaces. These DOM alterations and chrome-extension:// asset traces leave a permanent client-side fingerprint.

The network layer introduces distinct anomalies. Along with the Voyager and GraphQL automated calls using the x-restli-protocol-version: 2.0.0 header, the extension uses a declarativeNetRequest rule to drop LinkedIn's x-cki telemetry header while referencing the li/track tracking endpoint. Stripping these headers alters standard browser behavior, turning a missing telemetry fingerprint into an automated signature.

The event generation layer leaves similar traces. The audit identified approximately 48 programmatic event signals and clicks marked isTrusted:false. Browsers explicitly flag these synthetic events, making them easily distinguishable from human input. LinkedIn tracks these anomalies cumulatively rather than relying on a single tripwire.

Data flow diagram: how Waalaxy routes your session cookies and triggers LinkedIn detection

The full findings

Waalaxy code audit summary: key signals, data sinks, and extension permissions

The session extraction path remains the most critical point. Waalaxy targets the LinkedIn cookie store to route data to stargate.prod.aws.waalaxy.com. Client code metrics show li_at references 11 times, jsessionid 9 times, chrome_cookies 12 times, and 15 distinct instances of the cookie-getter bridge logic.

Detection mechanics are integrated directly into LinkedIn's defense scripts. The extension ID is explicitly paired with the assets/16x16.png probe file. This allows automated detection on page load, entirely separate from campaign execution metrics or account volume.

Page injection leaves an inspectable trail. The 13 functional modules injected at document_end build the user interface elements but simultaneously expose the active tab to structural scans.

The infrastructure footprint spans multiple layers. While stargate captures session data, otto orchestrates worker actions, and the externally_connectable configuration opens up communication to over 40 Waalaxy and Heroku origins, creating a remote-control surface attached directly to your profile.

Automated request structures deviate from standard browser patterns. The 80 Voyager and 57 GraphQL signals use distinct call sequences, cadences, and header configurations that contrast with organic user behavior.

Finally, telemetry suppression and artificial click events create passive risk. Dropping the x-cki header and generating isTrusted:false clicks provide machine-readable indicators of automation.

What this means for your account

LinkedIn's trust algorithms rely on a cumulative risk-scoring model. The presence of the extension ID, active DOM manipulation, direct endpoint queries, modified headers, and synthetic interactions all add weight to this score. Lowering daily message counts addresses behavioral limits but does not alter the underlying architectural footprint.

The network location risk stems directly from this cloud framework. Since operations execute from Waalaxy's AWS instances, a single account frequently jumps between your local residential connection and data center servers. This dual-location footprint acts as an immediate operational red flag.

User feedback supports these technical realities. A Capterra review from January 2024 notes: "Compte LinkedIn suspendu dû à l'utilisation de Waalaxy." ("LinkedIn account suspended due to using Waalaxy."). These individual events highlight the real-world enforcement patterns of the platform's detection systems.

Every automation framework carries inherent risk, including local alternatives like Linked Helper. Because this audit examines client-side code, backend operations are evaluated based on where the extension sends data. These details describe Waalaxy v1.3.259 as of June 2026.

FAQ

Is Waalaxy safe on LinkedIn?

The static code audit categorizes Waalaxy as HIGH risk. The extension copies your active session cookies and routes them to stargate.prod.aws.waalaxy.com, while its extension ID matches entries on LinkedIn's detection list. This architecture creates a permanent detection surface regardless of account age.

Does LinkedIn detect Waalaxy?

Yes. Waalaxy's specific extension ID (hlkiignknimkfafapmgpbnbnmkajgljh) is queried via a hardcoded asset probe (assets/16x16.png) when LinkedIn pages load, identifying the software before actions are taken.

Can it get my account restricted?

Yes. Account restrictions follow a multi-variable scoring system. LinkedIn evaluates the extension fingerprint, modified browser headers, synthetic clicks, and alternating cloud IP addresses alongside standard transaction volumes.

Does Waalaxy have access to my LinkedIn account?

Yes. By extracting and uploading the li_at cookie to its servers, the architecture enables the backend infrastructure to replicate and control your account state.

Is Waalaxy a Chrome extension or a cloud tool?

It uses a hybrid architecture. The Chrome extension serves as the initial session harvesting mechanism, transferring authentication tokens to a cloud platform where automation sequences execute.


The difference in risk management comes down to software architecture. A standalone desktop application like Linked Helper operates without a Chrome Store ID for scripts to probe, injects no code into the live LinkedIn DOM, and isolates your session cookies locally. This setup forces the platform to see your local residential IP and native browser configuration.

While this drastically reduces the technical detection surface, it does not bypass platform rules entirely. Automation remains a violation of LinkedIn's Terms of Service. Long-term stability still depends on volume control, account maturity, and natural interaction patterns. For continuous operation, combining a dedicated VPS with a local browser instance achieves cloud-like uptime without exposing the underlying authentication state.

Try Linked Helper free for 14 days — no credit card required — safer by design.

Full line-by-line teardown & methodology: https://safe-outreach.com/is-waalaxy-safe

Top comments (0)