Two Chrome extensions, one with 7,000 users and another with only 800, became malicious after their ownership was transferred. The updated versions allow attackers to inject malicious code and collect sensitive user data. While these extensions are not widely popular, the incident highlights the broader risks within the browser extension ecosystem and demonstrates why users must be cautious about what they install, even when it comes to browser extensions.
QuickLens & ShotBird
The extensions in question are called QuickLens and ShotBird. QuickLens was the more popular of the two, with around 7,000 installs, and allowed users to access Google Lens directly from the browser. ShotBird, on the other hand, had only about 800 installs and was designed to capture wide screenshots of feeds on platforms such as Facebook and Instagram. The extensions received the feature flag in early 2025. Both have since been removed from the Chrome Web Store.
Becoming Malicious
Before going into detail, note that these are just two extensions discovered by recent researchers, one by MonxResearch-Sec and the other by Annex Security. It is very likely that many other extensions have suffered the same fate, as these security researchers are trying to document a broader problem within the ecosystem.
Both extensions were recently sold to different developers before becoming malicious. ShotBird, for example, was discovered to pull instructions from its host server and display fake Chrome update prompts in the browser. These prompts attempt to trick users into installing malware.
QuickLens, on the other hand, received an update that allowed it to bypass certain browser protections and inject hidden malicious JavaScript code. This allowed attackers to execute commands within users’ browsers, giving them the ability to steal cookies that could be used to hijack sessions, as well as capture other user-entered credentials.
A New Attack Vector?
While malicious extensions are nothing new, the strategy used in this case is somewhat different. Both extensions had a featured tag, which can give users a false sense of security, as many assume featured extensions are well vetted. Selling extensions is fairly common, especially for small developers, however, purchasing them only to turn them into malware is a newer concerning trend. This is another reason why users should keep their number of extensions minimal and install them only from trusted developers.
0 Comments