A once-trusted Chrome extension with hundreds of customers was quietly remodeled right into a malware supply automobile, exposing how shortly browser add-ons can turn out to be safety liabilities.
QuickLens – Search Display with Google Lens was faraway from the Chrome Net Retailer after researchers found it had been up to date to deploy ClickFix assaults and steal cryptocurrency pockets information.
“For each web page, body, and request, the safety headers are actually gone. Person visitors is now weak to many new assaults like clickjacking,” Annex researchers stated in a weblog put up.
Contained in the malicious Chrome extension replace
Browser extensions function with intensive entry to net visitors, web page content material, and authenticated consumer classes.
Within the case of QuickLens, the extension had roughly 7,000 customers and beforehand held a featured badge within the Chrome Net Retailer, lending it credibility. After a reported possession change in early February 2026, a malicious replace was pushed to customers on Feb. 17, 2026.
That replace launched expanded permissions and embedded command-and-control (C2) performance, successfully turning a reliable software right into a malware-delivery mechanism.
From trusted Chrome extension to malware loader
The compromised model requested new permissions, together with declarativeNetRequestWithHostAccess and webRequest, which granted deeper management over looking exercise and community requests.
It additionally included a guidelines.json configuration that stripped key browser safety headers — resembling Content material-Safety-Coverage (CSP), X-Body-Choices, and X-XSS-Safety — from all visited pages.
These headers are designed to forestall script injection and clickjacking assaults. By eradicating them, the extension weakened built-in browser defenses and enabled the execution of malicious scripts throughout in any other case protected web sites.
Command-and-control and payload execution
As soon as energetic, the extension started speaking with a C2 server at api.extensionanalyticspro[.]prime.
It generated a persistent UUID to trace victims, fingerprinted customers’ international locations utilizing Cloudflare’s hint endpoint, recognized browser and working system particulars, and polled the C2 infrastructure each 5 minutes for directions. Malicious JavaScript payloads have been delivered in response and executed on each web page load utilizing what researchers described as a “1×1 GIF pixel onload trick.”
As a result of CSP protections had been stripped, these inline scripts executed efficiently — even on websites that might usually block such habits.
ClickFix malware and cryptocurrency theft
One of many delivered payloads displayed a pretend Google Replace immediate designed to provoke a ClickFix assault.
Home windows customers who clicked the replace have been prompted to obtain a file named googleupdate.exe, signed with a certificates belonging to Hubei Da’e Zhidao Meals Expertise Co., Ltd. When executed, the file launched a hidden PowerShell command that spawned a second PowerShell occasion.
This secondary course of retrieved further directions from a distant server utilizing a customized consumer agent and piped the response into Invoke-Expression, enabling distant code execution instantly on the sufferer’s machine.
In parallel, different malicious scripts focused cryptocurrency wallets, together with MetaMask, Phantom, Coinbase Pockets, Belief Pockets, Solflare, Courageous Pockets, and others. If detected, the extension tried to extract pockets exercise information and seed phrases — data that would enable attackers to take management of wallets and switch funds.
Further payloads scraped Gmail inbox contents, Fb Enterprise Supervisor promoting accounts, YouTube channel information, and harvested login credentials and fee data entered into net kinds.
Some reviews additionally indicated potential focusing on of macOS customers with the AMOS infostealer, though impartial affirmation of that exercise was restricted. Following disclosure of the malicious habits, Google eliminated QuickLens from the Chrome Net Retailer and robotically disabled it in affected browsers.
mitigate browser extension threat
Browser extensions have turn out to be an indispensable a part of trendy workflows — however in addition they signify a quickly increasing assault floor contained in the enterprise.
As latest campaigns have proven, malicious or compromised extensions can bypass conventional perimeter defenses and function instantly inside trusted browser classes. As a result of these threats usually exploit reliable performance quite than depend on CVEs, organizations should take a layered, policy-driven method to cut back threat.
- Centrally handle and prohibit browser extension installations utilizing Chrome enterprise insurance policies, permitting solely accredited extensions and blocking extreme or newly requested permissions.
- Often audit put in extensions, monitor for modifications in possession or permissions, and take away pointless or outdated add-ons.
- Monitor for suspicious browser habits, together with surprising outbound connections, repetitive beaconing, header manipulation, and use of high-risk permissions resembling webRequest or declarativeNetRequestWithHostAccess.
- Implement least privilege and phishing-resistant multi-factor authentication to cut back the impression of credential theft and post-compromise lateral motion.
- Deploy endpoint safety, browser isolation, and information loss prevention controls to detect and forestall credential harvesting, pockets exfiltration, and malicious script execution.
- Require affected customers to totally take away compromised extensions, reset saved credentials, and switch cryptocurrency property to newly generated wallets with contemporary seed phrases.
- Repeatedly validate safety controls and take a look at incident response plans via tabletop workouts or breach and assault simulations for browser-based provide chain assaults.
Collectively, these controls assist restrict the blast radius of a compromised extension whereas strengthening organizational resilience towards evolving browser-based provide chain threats.
Editor’s observe: This text initially appeared on our sister web site, eSecurityPlanet.
