A newly uncovered campaign shows how attackers can quietly transform legitimate browser extensions into malware—simply by acquiring them.
As reported by TheHackerNews, security researchers recently discovered that two Google Chrome extensions turned malicious after their ownership changed hands, allowing attackers to inject code, steal sensitive data, and potentially compromise entire systems.
From Helpful Tool to Hidden Threat
The affected extensions include:
- QuickLens – Search Screen with Google Lens (over 7,000 users)
- ShotBird – Scrolling Screenshots, Tweet Images & Editor (over 800 users)
Both were originally developed by the same author before being transferred to new owners. Shortly after those transfers, malicious updates were pushed to users through the Chrome Web Store.
QuickLens has since been removed from the store, but ShotBird remained available at the time researchers published their findings.
This type of attack highlights a growing problem in the browser ecosystem: extension supply chain compromise. When attackers purchase or take over existing extensions, they inherit an established user base and the trust that comes with it.
How the Malicious Extensions Worked
Researchers found that QuickLens retained its original functionality but secretly introduced malicious behavior.
The extension stripped security headers from web responses and then contacted a command-and-control (C2) server every five minutes to download JavaScript payloads. Instead of storing the malicious code directly in the extension, it executed it dynamically using a hidden image element.
This design allowed the malicious code to exist only during runtime, making it harder for traditional static analysis tools to detect.
ShotBird used a slightly different technique. It downloaded JavaScript that displayed a fake Chrome browser update prompt. If a victim clicked the prompt, they were guided through a “ClickFix”-style workflow that eventually ran a PowerShell command on Windows systems.
The command downloaded a file named googleupdate.exe, which then harvested sensitive information including:
- Login credentials
- Payment card details
- PINs and tokens
- Government identification numbers
The malware could also extract stored browser data such as passwords, browsing history, and extension details.
Browser Extensions Becoming a Major Security Risk
Security researchers say the attack represents a two-stage compromise: first gaining control within the browser, then pivoting to full host-level execution on the victim’s system.
Once attackers have that foothold, the damage can extend far beyond the browser.
The incident also comes amid a broader surge in malicious extensions. Security teams have recently identified multiple browser add-ons that impersonate AI tools, hijack affiliate links, or harvest chat histories from AI platforms.
Some extensions even redirect users to phishing pages designed to steal cryptocurrency seed phrases.
Users should immediately review their installed browser extensions and remove anything unfamiliar.
Security experts recommend:
- Uninstalling unused or untrusted extensions
- Avoiding side-loaded extensions outside official stores
- Regularly auditing browser permissions
- Monitoring for unusual browser behavior
While browser extensions can enhance productivity, this incident shows how quickly they can become a powerful attack vector when trust is misplaced.
Leave a Reply