Chrome Extension Goes Malicious After Transferring Ownership, Enabling Code Injection and Data Theft

Two Google Chrome extensions have turned malicious after what appears to be an identity transfer issue, giving attackers a way to push malware to downstream clients, inject malicious code, and harvest sensitive data.

The extensions in question, both associated with a developer named “akshayanuonline@gmail.com” (BuildMelon), are listed below –

• QuickLens – Search Screen with Google Lens (ID: kdenlnncndfnhkognokgfpabgkgehodd) – 7,000 users
• ShotBird – Scrolling Screenshots, Tweet Images & Editor (ID: gengfhhkjekmlejbhmmopegofnoifnjp) – 800 users

While QuickLens is no longer available for download from the Chrome Web Store, ShotBird is still accessible as of this writing. ShotBird was originally launched in November 2024, with its developer, Akshay Anu S (@AkshayAnuOnline), saying that the X extension is suitable for “creating professional, studio-like visuals,” and that all processing takes place locally.

According to research published by monxresearch-sec, the browser add-on received the “Installed” flag in January 2025, before being transferred to a different developer (“loraprice198865@gmail.com”) sometime last month.

Similarly, QuickLens was listed for sale on ExtensionHub on October 11, 2025, by “akshayanuonline@gmail.com” just two days after it was published, said John Tuckner of Annex Security. On February 1, 2026, the extension’s owner changed to “support@doodlebuggle.top” on the Chrome Web Store listing page.

A malicious update introduced at QuickLens on February 17, 2026, kept the original functionality but introduced the ability to strip security headers (eg, X-Frame Options) from all HTTP responses, allowing malicious scripts embedded in a web page to make inappropriate requests to other domains, bypassing the protection of the Content Security Policy (CSP).

In addition, the extension contains a fingerprint code in the user’s country, find the browser and the application, and polls an external server every five minutes to find JavaScript, which is stored in the browser’s local storage and used on every page load by adding a hidden 1×1 GIF. component and setting a JavaScript string as its “load” attribute. This, in turn, causes malicious code to be executed once the image is loaded.

“The actual malicious code never appears in the extension’s source files,” explains Tuckner. “Hard analysis shows the activity that creates the image features. That’s it. Payloads are delivered from C2 and stored in local storage — they only exist at runtime.”

A similar analysis of the ShotBird extension by monkxresearch-sec reveals the use of direct drive to deliver JavaScript code instead of creating a 1×1 pixel image to run. The JavaScript is designed to display false information for the Google Chrome browser, by clicking which users are presented with a ClickFix-style page to open a Windows Run dialog box, run “cmd.exe,” and paste a PowerShell command, resulting in the download of an executable named “googleupdate.exe” to Windows hosts.

The malware then proceeds to combine input, text, select HTML elements, and capture any data entered by the victim. This may include information, PIN, card information, tokens, and government identifiers. It is also equipped to dump data stored in the Chrome web browser, such as passwords, browsing history, and extension-related information.

“This is a two-tier abuse chain: browser-side remote control and host-level pivot with fake updates,” the researcher said. “The result is high-risk data exposure in the browser and confirmed host-side script execution on at least one affected system. In practical terms, this raises the impact from browser-only abuse to credential theft and extensive endpoint compromise.”

It is considered that the same threat actor is behind the disruption of two extensions and uses such extensions in parallel, given the use of the pattern of similar Command-and-control (C2) structures, ClickFix is ​​good injected into the browsing context, and the transfer of identity as an infection vector.

Interestingly, the original developer of the extension published several other extensions under their own names in the Chrome Web Store, and they all received the included badge. The developer also has an account on ExtensionHub, although no extensions are currently listed for sale. In addition, someone tried to sell domains like “AIInfraStack[.]com” for $2,500, stating that a “strong keyword domain” is “worth it [sic] the fastest growing AI ecosystem.”

“This is an extension supply chain problem in a nutshell,” Annex Security said. “The ‘Installed,’ updated, active extension changes hands, and the new owner pushes the weaponized update to every existing user.”

The disclosure comes as Microsoft warned of Chromium-based browser extensions posing as legitimate AI assistant tools to harvest LLM’s chat histories and browsing data.

“At scale, this work turns a seemingly reliable production extension into an ongoing way to collect data embedded in everyday enterprise browser usage, highlighting the proliferation of malicious browser extensions in the enterprise environment,” said the Microsoft Defender Security Research Team.

In recent weeks, threat hunters have also flagged a malicious Chrome extension named lmΤoken Chromophore (ID: bbhaganppipihlhjgaaeeeefbaoihcgi) that impersonates imToken while advertising itself as a hex color viewer on the Chrome Web Store to steal cryptocurrency seed phrases using phishing redirects.

“Instead of providing the harmless tool it promises, the extension automatically opens an actor-controlled phishing site immediately after it’s installed, and whenever a user clicks on it,” said Socket researcher Kirill Boychenko.

“When installed, the extension fetches the destination URL from the JSONKeeper code repository (jsonkeeper[.]com/b/KUWNE) and opens a tab that points to a Chrome Web Store-style domain, chroomewdbstorre-detail-extension[.]com. The landing page mimics imToken using mixed homoglyphs and subjects victims to a verification shot that asks for a 12- or 24-character seed phrase or private key.”

Some malicious extensions flagged by Palo Alto Networks Networks Unit 42 were found to be involved in affiliate hijacking and data exfiltration, one of them – Chrome MCP Server – AI Browser Control (ID: fpeabamapgecnidibdmjoepaiehokgda) – which acts as a full-fledged remote access tool like the Asqueradiation Modeli trojan while the Asqueradiation Model Masqueradio trojan. (MCP).

Unit 42 researchers also revealed that three popular Chrome extensions, namely Urban VPN Proxy, Urban Browser Guard, and Urban Ad Blocker, identified by Koi as scraping AI conversations in various chatbots such as OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Chrome Store, Chrome Meta Store, Meta

“After the public disclosure of the campaign on December 15, 2025, the developer updated the negative versions in January 2026, possibly in response to the report,” said researchers Qinge Xie, Nabeel Mohamed, Shresta Bellary Seetharam, Fang Liu, Billy Melicher and Alex Starov.

In addition, the cybersecurity company identified an extension called Palette Creator (ID: iofmialeiddolmdlkbheakaefefkjokp), which has more than 100,000 users and whose previous version is linked to known network indicators associated with a campaign called RedDirection to carry out browser hacking.

It doesn’t end there. A new campaign covering more than 30,000 domains was found to trigger a chain of redirecting traffic to the landing page (“ansiblealgorithm[.]com”) used to distribute a Chrome extension called OmniBar AI Chat and Search (ID: ajfanjhcdgaohcbphpaceglgpgaaohod).

The extension uses the chrome_settings_overrides API to change Chrome settings and set the browser’s home page to an omnibar.[.]ai, and make the default search provider a custom URL: “go.omnibar[.]ai/?api=omni&sub1=omnibar.ai&q={searchTerms}” and track queries with the API parameter.

The ultimate goal is believed to be browser hijacking as part of what appears to be a larger affiliate marketing scheme, Unit 42 said, adding that it identified two other extensions that exhibit similar browser hijacking behavior alongside OmniBar by overwriting the home page and blocking search –

• AI Output Algo Tool (ID: eeoonfhmbjlmienmmbgapfloddpmoalh)
• Official Serpey.com extension (ID: hokdpdlchkgcenfpiibjjfkfmleoknkp)

A thorough investigation of three other extensions published by the same developer (“jon@status77.com” and Status 77) found that two of them track users’ browsing activity to inject interactive tags, while the third extracts and forwards a series of user’s Reddit comments to a developer-controlled API endpoint –

• Care.Sale (ID: jaioobipjdejpeckgojiojjahmkiaihp)
• Official Extension for Big Coupons (ID: akdajpomgjgldidenledjzhimgkjcchc)
• Consensus – Reddit Comment Summary (ID: mkkfklcadlnkhgapjeejemflhamcdjld)

Users who have installed any of the extensions mentioned above are advised to remove them from their browsers immediately, avoid sideloading or installing extensions from unverified manufacturers, and check browsers for any unknown extensions and remove them.