Security Researchers Warn of Chrome Extensions Turning Malicious After Ownership Transfers
Cybersecurity researchers have uncovered a troubling trend involving Google Chrome extensions that became malicious after changing ownership. These compromised extensions allowed attackers to inject harmful code into users’ browsers, steal sensitive information, and distribute malware.
Two extensions that were previously legitimate have been identified in this campaign:
- QuickLens – Search Screen with Google Lens (about 7,000 users)
- ShotBird – Scrolling Screenshots, Tweet Images & Editor (around 800 users)
Both extensions were originally created by a developer linked to the email [email protected]. However, after the ownership changed hands, the extensions were updated with hidden malicious functionality.
QuickLens has since been removed from the Chrome Web Store, while ShotBird was still available at the time researchers reported the issue.
Malicious Updates Introduced Hidden Code Execution
Security researchers discovered that a malicious update was pushed to QuickLens in February 2026. The update preserved the extension’s normal features to avoid suspicion but secretly introduced code capable of bypassing important browser security protections.
The extension manipulated HTTP responses by removing security headers such as X-Frame-Options, allowing injected scripts to interact with other websites and bypass Content Security Policy protections.
In addition, the extension collected information about the user’s system, including:
- Geographic location
- Browser type
- Operating system
The compromised extension also contacted an external command-and-control server every five minutes. This server delivered JavaScript payloads that were stored locally in the browser and executed whenever users visited a web page.
Researchers explained that the malicious payload was not present in the extension’s original source code. Instead, it was delivered dynamically from remote servers, making detection much harder.
Fake Chrome Update Used to Install Malware
A similar analysis of the ShotBird extension revealed another dangerous tactic.
Instead of embedding malicious scripts directly, the extension triggered remote JavaScript code that displayed a fake Google Chrome update notification. When users clicked the update prompt, they were redirected to a malicious page designed to trick them into running commands on their own computer.
The attack instructed victims to open the Windows Run dialog, launch the command prompt, and paste a PowerShell command. Doing so downloaded a file named googleupdate.exe, which contained malware.
Once installed, the malware monitored user activity inside web pages. It targeted input fields and forms to capture sensitive data such as:
- Login credentials
- PIN numbers
- Credit card information
- Security tokens
- Government identification numbers
The malware could also collect stored browser data including saved passwords, browsing history, and extension data.
Researchers say the attack chain effectively moved from browser compromise to full system-level access, significantly increasing the potential impact.
Evidence Suggests a Single Threat Actor
Investigators believe the same threat actor is responsible for compromising both extensions. The campaigns shared identical command-and-control patterns and used similar techniques, including malicious updates delivered after the extension ownership changed.
This tactic highlights a growing supply-chain risk in browser extensions. A trusted extension that has already been approved and installed by thousands of users can become dangerous if ownership is transferred and malicious updates are released.
Growing Threat From Malicious Browser Extensions
Security experts say this case reflects a broader issue within browser extension ecosystems.
Microsoft recently warned about malicious extensions that pretend to offer AI assistant capabilities but secretly collect user data and chat histories from large language model platforms.
In another case, researchers discovered a Chrome extension disguised as a simple color visualization tool. Instead of performing the advertised function, the extension redirected users to phishing pages designed to steal cryptocurrency wallet recovery phrases.
Other malicious extensions identified by security researchers have been involved in:
- Browser hijacking
- Affiliate link manipulation
- Data exfiltration
- Remote access trojan deployment
Some extensions even altered browser settings to redirect search traffic through attacker-controlled domains in order to generate fraudulent advertising revenue.
Popular Extensions Also Linked to Data Collection Risks
Investigators have also flagged previously popular extensions that were temporarily removed for scraping conversations from AI chat platforms such as:
- ChatGPT
- Claude
- Google Gemini
- Microsoft Copilot
- Meta AI
- Grok
Although some of these extensions later returned to the Chrome Web Store with updated versions, the incident highlights the risks associated with granting browser extensions extensive permissions.
Security Advice for Chrome Users
Experts recommend that users regularly review their installed browser extensions and remove anything they do not recognize or no longer use.
Additional security steps include:
- Avoid installing unknown productivity or AI-related extensions
- Only download extensions from trusted developers
- Regularly audit browser permissions
- Remove extensions that request excessive access
Organizations are also advised to implement stricter browser security policies to limit the risk posed by malicious or compromised extensions.