Security researchers warn that seemingly legitimate Chrome extensions can become dangerous overnight when ownership changes hands, allowing attackers to push malicious updates, steal sensitive data, and compromise user systems.

Two Google Chrome extensions that once appeared legitimate have reportedly turned malicious after a transfer of ownership, highlighting a growing security risk in the browser extension ecosystem.

The extensions involved are:

• QuickLens – Search Screen with Google Lens (about 7,000 users)
• ShotBird – Scrolling Screenshots, Tweet Images & Editor (around 800 users)

While QuickLens has already been removed from the Chrome Web Store, ShotBird remained available at the time of reporting, raising concerns about potential exposure for existing users.

How the Attack Began

Both extensions were originally developed by a developer linked to the email akshayanuonline@gmail.com.

Security researchers discovered that the ownership of the extensions later changed to different developers. Shortly after the transfer, new updates introduced malicious functionality while keeping the original features intact, making the attack harder to detect.

This type of attack is often referred to as a browser extension supply-chain compromise.

Malicious Capabilities Added to the Extensions

The malicious updates enabled several dangerous behaviors that could expose users to cyberattacks.

Researchers observed that the compromised extensions could:

• Inject arbitrary JavaScript into web pages
• Remove security protections such as Content Security Policy (CSP)
• Fingerprint the user’s device and location
• Communicate with external command-and-control (C2) servers
• Execute malicious code dynamically during browser sessions

The malicious payloads were not directly embedded in the extension code. Instead, the extensions regularly contacted remote servers and downloaded the malicious code at runtime, making detection more difficult.

Fake Chrome Update Used to Deliver Malware

In the case of the ShotBird extension, researchers found an additional attack method.

The extension displayed a fake Google Chrome update prompt. When users clicked the prompt, they were redirected to a page instructing them to open the Windows Run dialog and execute a command.

This command downloaded a malicious file named googleupdate.exe, which could compromise the user’s system.

Once installed, the malware was capable of:

• Logging keystrokes
• Capturing data entered into web forms
• Collecting login credentials and tokens
• Extracting stored browser data such as saved passwords and browsing history

This technique effectively escalates the attack from browser compromise to full system compromise.

A Growing Threat: Browser Extension Supply Chain Attacks

Security experts say the attack demonstrates a broader problem in the browser ecosystem.

Extensions that initially pass security reviews can later become dangerous if their ownership changes and the new developer pushes malicious updates.

Because users already trust the extension and have granted permissions, the malicious update gains access to sensitive browser data.

Researchers warn that such attacks can turn trusted productivity tools into persistent surveillance and data-collection mechanisms inside enterprise environments.

Additional Malicious Extensions Identified

Researchers and security companies also flagged several other Chrome extensions involved in malicious campaigns.

Some were designed to:

• Steal cryptocurrency seed phrases through phishing pages
• Hijack browser searches for affiliate fraud
• Capture chat histories from AI tools and chatbots
• Act as remote access tools disguised as productivity software

In one case, an extension pretending to be a color visualization tool redirected users to a phishing site impersonating a cryptocurrency wallet service.

Security Advice for Users

Security researchers recommend several precautions to reduce risks from malicious extensions.

Users should:

• Remove any suspicious or unused browser extensions immediately
• Install extensions only from trusted developers
• Avoid side-loading extensions from external websites
• Review extension permissions carefully
• Regularly audit installed browser add-ons

Organizations should also monitor enterprise browsers for unauthorized or risky extensions.

Why Browser Extensions Are Becoming a Major Security Risk

Browser extensions have become powerful tools with deep access to web sessions, cookies, and user input.

If compromised, they can:

• Intercept credentials and session tokens
• Monitor browsing activity
• Inject malicious scripts into web pages
• Act as a bridge to deliver malware onto the host system

As attackers increasingly target browser extensions, security experts warn that supply chain attacks in browser ecosystems may continue to grow.