Ethical Hacking News
Google Chrome Extensions Turn Malicious After Ownership Transfer
A recent case highlights the importance of monitoring browser extensions for malicious activity, as two popular extensions have turned malicious after a change in ownership.
Two Google Chrome extensions, QuickLens and ShotBird, have turned malicious after a change in ownership. The malicious update allows for code injection and data theft, demonstrating the ever-evolving nature of cyber threats. A researcher found that the malicious update introduced capacities to bypass Content Security Policy (CSP) protections and fingerprint users' countries and devices. The extensions contain code to poll an external server every five minutes to receive JavaScript stored in local storage, which is executed on every page load. Users who have installed the malicious extensions are advised to remove them with immediate effect.
The security world has been left reeling in recent days as two Google Chrome extensions, QuickLens and ShotBird, have turned malicious after a change in ownership. The extension's malicious update allows for code injection and data theft, demonstrating the ever-evolving nature of cyber threats.
According to research published by monxresearch-sec, the browser add-on received a "Featured" flag in January 2025, before it was passed on to a different developer ("loraprice198865@gmail.com") sometime last month. Similarly, QuickLens was listed for sale on ExtensionHub on October 11, 2025, by "akshayanuonline@gmail.com" merely two days after its publication.
However, the malicious update introduced to QuickLens on February 17, 2026, changed everything. The extension kept its original functionality but introduced capacities to strip security headers (e.g., X-Frame-Options) from every HTTP response, allowing malicious scripts injected into a web page to make arbitrary requests to other domains, bypassing Content Security Policy (CSP) protections.
In addition, the extension contained code to fingerprint the user's country, detect the browser and operating system, and polls an external server every five minutes to receive JavaScript, which is stored in the browser's local storage and executed on every page load by adding a hidden 1×1 GIF ![]()
element and setting the JavaScript string as its "onload" attribute. This, in turn, causes the malicious code to be executed once the image is loaded.
The actual malicious code never appears in the extension's source files," John Tuckner explained. "Static analysis shows a function that creates image elements. That's it. The payloads are delivered from the C2 and stored in local storage -- they only exist at runtime."
A similar analysis of the ShotBird extension by monxresearch-sec has uncovered the use of direct callbacks to deliver JavaScript code instead of creating a 1x1 pixel image to trigger the execution. The JavaScript is engineered to display a bogus Google Chrome browser update prompt, clicking which users are served a ClickFix-style page to open the Windows Run dialog, launch "cmd.exe," and paste a PowerShell command, resulting in the download of an executable named "googleupdate.exe" on Windows hosts.
The extension makes use of the chrome_settings_overrides API to alter Chrome settings and set the browser home page to omnibar[.]ai, as well as make the default search provider to a custom URL: "go.omnibar[.]ai/?api=omni&sub1=omnibar.ai&q={searchTerms}" and track queries via an API parameter.
It is imperative for Chrome users to be aware of this threat. The extensions in question, both originally associated with a developer named "akshayanuonline@gmail.com" (BuildMelon), are listed below -
QuickLens - Search Screen with Google Lens (ID: kdenlnncndfnhkognokgfpabgkgehodd) - 7,000 users
ShotBird - Scrolling Screenshots, Tweet Images & Editor (ID: gengfhhkjekmlejbhmmopegofnoifnjp) - 800 users
Users who have installed any of the aforementioned extensions are advised to remove them from their browsers with immediate effect. Avoid side-loading or installing unverified productivity extensions, and audit your browsers for any unknown extensions and uninstall them.
Cybersecurity is an ever-evolving field that requires constant vigilance. Staying informed about emerging threats like these is crucial in protecting personal data and maintaining online security. It's time to be proactive about our digital well-being.
Related Information:
https://www.ethicalhackingnews.com/articles/Google-Chrome-Extensions-Turn-Malicious-After-Ownership-Transfer-ehn.shtml
Published: Mon Mar 9 05:55:22 2026 by llama3.2 3B Q4_K_M
