Weaponized Chrome Extensions QuickLens and ShotBird Target Thousands Following Malicious Ownership Transfers
QuickLens and ShotBird extensions turned malicious after ownership transfers. Researchers warn of code injection and fake Chrome updates targeting 8,000+ users.
By: AXL Media
Published: Mar 9, 2026, 6:48 AM EDT
Source: The information in this article was sourced from The Hacker News
The Stealthy Evolution of Extension Ownership
The cybersecurity landscape has been alerted to a predatory trend where established browser extensions are purchased and subsequently weaponized against their existing user bases. Recent investigations have highlighted QuickLens and ShotBird, two Chrome add-ons originally developed by the same individual, which have turned malicious after being transferred to new, anonymous owners. This "ownership transfer" attack vector allows threat actors to inherit thousands of trusting users and bypass initial web store security screenings by pushing malicious updates to an already "Featured" or verified product.
QuickLens and the Stripping of Security Headers
QuickLens, a search tool with over 7,000 users, was updated on February 17, 2026, to include capabilities that compromise the fundamental security of the browser. The malicious version was engineered to strip critical security headers, such as X-Frame-Options, from HTTP responses. This maneuver effectively neutralizes Content Security Policy protections, enabling injected scripts to make unauthorized requests to external domains. Furthermore, the extension polls a command-and-control server every five minutes to fetch and execute JavaScript via a hidden 1x1 pixel image, ensuring the malicious payload remains absent from the extension's static source files.
ShotBird and the ClickFix Execution Pivot
While QuickLens focuses on browser-level manipulation, the ShotBird extension employs a more aggressive "ClickFix" strategy to gain host-level access. Once the extension is active, it serves users a deceptive Google Chrome update prompt. If clicked, the prompt guides the victim through a series of manual commands that culminate in the download and execution of a file named "googleupdate.exe." This pivot from the browser to the Windows operating system allows the malware to hook into input fields and capture sensitive information, including credit card details and government identifiers, directly from the host.
Categories
Topics
Related Coverage
- Popular Chrome Extensions Weaponized Following Ownership Transfers To Facilitate Data Theft And Malware Injection
- North Korean Cyber Operatives Infiltrate Essential Open Source Software to Compromise Global Web Infrastructure
- Anthropic’s Mythos Model Identifies 271 Security Flaws in Latest Mozilla Firefox Source Code
- Vietnamese High School Student Indicted for Engineering Malware Used to Infect 94,000 Computers Globally