Malicious Ownership Transfer of Chrome Extensions Enables Code Injection and Data Theft

Two Google Chrome extensions have been compromised following an ownership transfer, allowing attackers to distribute malware, inject arbitrary code, and collect sensitive user data. The extensions, originally developed by an individual using the email “akshayanuonline@gmail.com,” are QuickLens and ShotBird.

Overview of Compromised Extensions

The affected extensions are:

• QuickLens – Search Screen with Google Lens (ID: kdenlnncndfnhkognokgfpabgkgehodd) – 7,000 users
• ShotBird – Scrolling Screenshots, Tweet Images & Editor (ID: gengfhhkjekmlejbhmmopegofnoifnjp) – 800 users

QuickLens has been removed from the Chrome Web Store, while ShotBird remains available. ShotBird was initially launched in November 2024, with its developer claiming that the extension was designed for creating professional visuals and that all processing occurred locally.

Recent research indicates that ShotBird received a “Featured” flag in January 2025 before being transferred to another developer, identified as “loraprice198865@gmail.com,” in early 2026. QuickLens was listed for sale on ExtensionHub shortly after its release, with ownership changing to “support@doodlebuggle.top” in February 2026.

Malicious Updates and Their Implications

On February 17, 2026, a malicious update was introduced to QuickLens, maintaining its original functionality while adding the capability to strip security headers from HTTP responses. This modification allowed malicious scripts to bypass Content Security Policy protections, enabling unauthorized requests to other domains.

The extension also included code to fingerprint users’ locations, detect their browser and operating system, and poll an external server every five minutes for JavaScript. This JavaScript was stored in the browser’s local storage and executed on page load by creating a hidden 1×1 GIF element, triggering the execution of the malicious code.

The malicious code does not appear in the extension’s source files. Instead, it relies on runtime delivery from a command-and-control (C2) server, as explained by Annex Security’s John Tuckner.

A similar analysis of ShotBird revealed that it used direct callbacks to deliver JavaScript code, displaying a fake Google Chrome update prompt. Clicking this prompt directed users to a page that opened the Windows Run dialog, executing a PowerShell command that downloaded an executable named “googleupdate.exe.”

Data Theft Mechanisms

The malware embedded in these extensions is capable of hooking into input fields, text areas, and select HTML elements to capture sensitive data, including credentials, PINs, and card details. It can also extract stored data from the Chrome browser, such as passwords and browsing history.

This two-stage abuse chain involves remote browser control through the extension and host-level execution via fake updates, significantly increasing the risk of credential theft and broader endpoint compromise.

Threat Actor Assessment

It is believed that the same threat actor is responsible for the compromise of both extensions, as evidenced by the identical C2 architecture and the use of ClickFix lures. This ownership transfer serves as a vector for infection, highlighting vulnerabilities in the extension supply chain.

The original developer has published several other extensions on the Chrome Web Store, all of which have received a Featured badge. The developer has also attempted to sell domains related to the rapidly growing AI ecosystem.

Broader Context of Malicious Extensions

The disclosure of these compromised extensions coincides with warnings from Microsoft regarding malicious Chromium-based browser extensions that masquerade as legitimate tools to harvest user data. The Microsoft Defender Security Research Team noted that such activities transform trusted productivity extensions into persistent data collection mechanisms, posing significant risks in corporate environments.

In recent weeks, additional malicious extensions have been identified, including one named lmToken Chromophore, which impersonates a legitimate tool while stealing cryptocurrency seed phrases through phishing redirects. Other flagged extensions have engaged in affiliate hijacking and data exfiltration, with some serving as remote access trojans.

Unit 42 researchers have also reported on the resurgence of previously removed extensions that scrape AI conversations from various chatbots. These extensions have been updated to benign versions, likely in response to public disclosures.

Recommendations for Users

Users who have installed any of the compromised extensions are advised to remove them immediately. It is essential to avoid installing unverified productivity extensions and to regularly audit browsers for any unknown extensions.

For further details, refer to the original reporting on this issue at thehackernews.com.