Two Google Chrome extensions have turned malicious after what seems to be a case of possession switch, providing attackers a option to push malware to downstream clients, inject arbitrary code, and harvest delicate information.
The extensions in query, each initially related to a developer named “akshayanuonline@gmail.com” (BuildMelon), are listed beneath –
- QuickLens – Search Display with Google Lens (ID: kdenlnncndfnhkognokgfpabgkgehodd) – 7,000 customers
- ShotBird – Scrolling Screenshots, Tweet Photographs & Editor (ID: gengfhhkjekmlejbhmmopegofnoifnjp) – 800 customers
Whereas QuickLens is not accessible for obtain from the Chrome Net Retailer, ShotBird stays accessible as of writing. ShotBird was initially launched in November 2024, with its developer, Akshay Anu S (@AkshayAnuOnline), claiming on X that the extension is appropriate for “creating skilled, studio-like visuals,” and that each one processing occurs domestically.
In line with analysis revealed by monxresearch-sec, the browser add-on acquired a “Featured” flag in January 2025, earlier than it was handed on to a unique developer (“loraprice198865@gmail.com”) someday final month.
In the same vein, QuickLens was listed on the market on ExtensionHub on October 11, 2025, by “akshayanuonline@gmail.com” merely two days after it was revealed, Annex Safety’s John Tuckner mentioned. On February 1, 2026, the extension’s proprietor modified to “assist@doodlebuggle.high” on the Chrome Net Retailer itemizing web page.
The malicious replace launched to QuickLens on February 17, 2026, stored the unique performance however launched capacities to strip safety headers (e.g., X-Body-Choices) from each HTTP response, permitting malicious scripts injected into an internet web page to make arbitrary requests to different domains, bypassing Content material Safety Coverage (CSP) protections.
As well as, the extension contained code to fingerprint the consumer’s nation, detect the browser and working system, and polls an exterior server each 5 minutes to obtain JavaScript, which is saved within the browser’s native storage and executed on each web page load by including a hidden 1×1 GIF factor and setting the JavaScript string as its “onload” attribute. This, in flip, causes the malicious code to be executed as soon as the picture is loaded.
“The precise malicious code by no means seems within the extension’s supply information,” Tuckner defined. “Static evaluation reveals a perform that creates picture components. That is it. The payloads are delivered from the C2 and saved in native storage — they solely exist at runtime.”
An identical evaluation of the ShotBird extension by monxresearch-sec has uncovered the usage of direct callbacks to ship JavaScript code as an alternative of making a 1×1 pixel picture to set off the execution. The JavaScript is engineered to show a bogus Google Chrome browser replace immediate, clicking which customers are served a ClickFix-style web page to open the Home windows Run dialog, launch “cmd.exe,” and paste a PowerShell command, ensuing within the obtain of an executable named “googleupdate.exe” on Home windows hosts.
The malware then proceeds to hook enter, textarea, choose HTML components, and seize any information entered by the sufferer. This might embody credentials, PIN, card particulars, tokens, and authorities identifiers. It is also geared up to siphon information saved within the Chrome net browser, similar to passwords, searching historical past, and extension-related info.
“It is a two-stage abuse chain: extension-side distant browser management plus host-level execution pivot through pretend updates,” the researcher mentioned. “The result’s high-risk information publicity in-browser and confirmed host-side script execution on not less than one affected system. In sensible phrases, this elevates the affect from browser-only abuse to doubtless credential theft and broader endpoint compromise.”
It is assessed that the identical risk actor is behind the compromise of the 2 extensions and is working them in parallel, given the usage of an an identical command-and-control (C2) structure sample, ClickFix lures injected into the searching context, and possession switch as an an infection vector.
Curiously, the unique extension developer has revealed a number of different extensions beneath their title on the Chrome Net Retailer, and all of them have acquired a Featured badge. The developer additionally has an account on ExtensionHub, though no extensions are presently listed on the market. What’s extra, the person has tried to promote domains like “AIInfraStack[.]com” for $2,500, stating the “robust key phrase area” is “related for [sic] quickly rising AI ecosystem.”
“That is the extension provide chain drawback in a nutshell,” Annex Safety mentioned. “A ‘Featured,’ reviewed, practical extension adjustments arms, and the brand new proprietor pushes a weaponized replace to each current consumer.”
The disclosure comes as Microsoft warned of the malicious Chromium‑primarily based browser extensions that masquerade as legit AI assistant instruments to reap LLM chat histories and searching information.
“At scale, this exercise turns a seemingly trusted productiveness extension right into a persistent information assortment mechanism embedded in on a regular basis enterprise browser utilization, highlighting the rising danger browser extensions pose in company environments,” the Microsoft Defender Safety Analysis Staff mentioned.
In latest weeks, risk hunters have additionally flagged a malicious Chrome extension named lmΤoken Chromophore (ID: bbhaganppipihlhjgaaeeeefbaoihcgi) that impersonates imToken whereas promoting itself as a hex shade visualizer within the Chrome Net Retailer to steal cryptocurrency seed phrases utilizing phishing redirects.
“As an alternative of offering the innocent instrument it guarantees, the extension routinely opens a risk actor-controlled phishing website as quickly as it’s put in, and once more at any time when the consumer clicks it,” Socket researcher Kirill Boychenko mentioned.
“On set up, the extension fetches a vacation spot URL from a hardcoded JSONKeeper endpoint (jsonkeeper[.]com/b/KUWNE) and opens a tab pointing to a lookalike Chrome Net Retailer-style area, chroomewedbstorre-detail-extension[.]com. The touchdown web page impersonates imToken utilizing mixed-script homoglyphs and funnels victims into credential-capture flows that request both a 12 or 24-word seed phrase or a non-public key.”
Different malicious extensions flagged by Palo Alto Networks Networks Unit 42 have been discovered to interact in affiliate hijacking and information exfiltration, with considered one of them – Chrome MCP Server – AI Browser Management (ID: fpeabamapgecnidibdmjoepaiehokgda) – serving as a full-fledged distant entry trojan whereas masquerading as an AI automation instrument utilizing the Mannequin Context Protocol (MCP).
Unit 42 researchers have additionally revealed that three widespread Chrome extensions – City VPN Proxy, City Browser Guard, and City Advert Blocker – are once more accessible on the Chrome Net Retailer after beforehand being eliminated for scraping AI conversations from varied chatbots, together with OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity.
“Following the general public disclosure of the marketing campaign on December 15, 2025, the developer up to date benign variations in January 2026, doubtless in response to the report,” researchers Qinge Xie, Nabeel Mohamed, Shresta Bellary Seetharam, Fang Liu, Billy Melicher, and Alex Starov mentioned.
Moreover, the cybersecurity firm recognized an extension referred to as Palette Creator (ID: iofmialeiddolmdlkbheakaefefkjokp), which has over 100,000 customers and whose earlier model communicated with recognized community indicators related to a marketing campaign dubbed RedDirection to hold out browser hijacking.
That is not all. A brand new marketing campaign comprising over 30,000 domains has been discovered to provoke a redirect chain to route site visitors to a touchdown web page (“ansiblealgorithm[.]com”) that is used for distributing a Chrome extension referred to as OmniBar AI Chat and Search (ID: ajfanjhcdgaohcbphpaceglgpgaaohod).
The extension makes use of the chrome_settings_overrides API to change Chrome settings and set the browser house web page to omnibar[.]ai, in addition to make the default search supplier to a customized URL: “go.omnibar[.]ai/?api=omni&sub1=omnibar.ai&q={searchTerms}” and observe queries through an API parameter.
It is believed that the tip aim is to carry out browser-hijacking as a part of what appears to be a large-scale internet online affiliate marketing scheme, Unit 42 mentioned, including it recognized two different extensions that exhibit the identical browser-hijacking habits per OmniBar through house web page override and search interception –
- AI Output Algo Software (ID: eeoonfhmbjlmienmmbgapfloddpmoalh)
- Serpey.com official extension (ID: hokdpdlchkgcenfpiibjjfkfmleoknkp)
A deeper investigation of three extra extensions revealed by the identical developer (“jon@status77.com” aka Standing 77) has uncovered that two of them observe consumer searching exercise to inject affiliate markers, whereas a 3rd one extracts and transmits consumer Reddit remark threads to a developer-controlled API endpoint –
- Care.Sale (ID: jaioobipjdejpeckgojiojjahmkiaihp)
- Big Coupons Official Extension (ID: akdajpomgjgldidenledjjiemgkjcchc)
- Consensus – Reddit Remark Summarizer (ID: mkkfklcadlnkhgapjeejemflhamcdjld)
Customers who’ve put in any of the aforementioned extensions are suggested to take away them from their browsers with fast impact, keep away from side-loading or putting in unverified productiveness extensions, and audit browsers for any unknown extensions and uninstall them.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s tendencies right now: learn extra, subscribe to our e-newsletter, and develop into a part of the NextTech group at NextTech-news.com
