Two popular Google Chrome extensions, QuickLens and ShotBird, have turned malicious following ownership transfers, highlighting a critical supply chain vulnerability in the browser ecosystem. Originally legitimate tools with "Featured" badges, these extensions were updated to include code capable of stripping security headers, fingerprinting user systems, and executing arbitrary JavaScript from external command-and-control (C2) servers. The malicious updates utilize techniques like "ClickFix" lures to trick users into running PowerShell commands, leading to the installation of host-level malware that captures sensitive data such as credentials, payment information, and government identifiers.
Beyond these specific cases, security researchers have identified a broader trend of malicious extensions masquerading as AI assistants or utility tools to harvest LLM chat histories, steal cryptocurrency seed phrases, and perform affiliate hijacking. Organizations including Microsoft and Palo Alto Networks warn that even previously reviewed and trusted extensions can be weaponized overnight. Users are strongly advised to audit their browser extensions, remove any unverified or unnecessary tools, and remain vigilant against unexpected update prompts that require manual command execution.
Top comments (0)