Many Chrome extensions begin as small side projects built by independent developers. Once they attract a sizable user base, these extensions are often sold to new owners. The danger arises when those owners turn out to be malicious actors suddenly gaining the ability to push updates to software running inside thousands of users’ browsers.
Two independent research investigations have revealed how attackers are acquiring legitimate, previously “featured” Chrome extensions and then modifying them to distribute malware.
Both extensions examined ShotBird and QuickLens were originally linked to the same developer,
ShotBird was initially released as a productivity extension that allowed users to create stylized screenshots. At one point last year, it was even promoted as a featured extension in the Chrome Web Store, a designation that can significantly boost installations.
However, research published by monxresearch-sec found that sometime between December and March, ownership of the extension changed hands to a new developer listed as
Following the transfer, an update introduced malicious behavior. The extension began retrieving instructions from attacker-controlled servers and displaying fake Chrome update notifications designed to trick users into installing malware.
Victims were subjected to a ClickFix-style attack, where they were told their browser required a manual update. Users were instructed to run a command that downloaded a malicious program masquerading as a legitimate Chrome update.
Once installed, the malware extended beyond the browser itself. Researchers found it capable of monitoring form fields and capturing sensitive data entered by users, including passwords, credit card details, and authentication codes. It could also access saved credentials stored in browser data.
A separate investigation by Annex focused on another Chrome extension, QuickLens, which marketed itself as a “Pixel Perfect” tool for designers to inspect webpage layouts.
According to researcher John Tuckner, the extension’s listed owner changed last month to
In this case, the extension removed security headers from web pages and used a small tracking pixel to activate hidden JavaScript payloads.
“The actual malicious code never appears in the extension’s source files,” Tuckner explained. This technique allows attackers to execute commands within the browser environment, potentially stealing session tokens, extracting webpage data, or delivering additional malware.
Annex described the technique as “a two-stage abuse chain,” combining remote browser control through the extension with host-level execution enabled by fake updates.
Researchers also noted that the original developer,
Last week, LayerX Security researchers highlighted what they describe as a major security blind spot in browser extensions. To demonstrate the risk, they released a test extension dubbed “Totally Innocent Extension.”
“In our demonstration, the payload simply opens the calculator app as a harmless visual cue,” said LayerX researcher Iyar Segev. “In a real-world attack, the same mechanism could enable persistence, lateral movement, data exfiltration, or full remote control of the system.”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
