TWO Google Chrome extensions have been found to have turned malicious after ownership transfer, enabling code injection and data theft for downstream users, according to The Hacker News.
The extensions QuickLens - Search Screen with Google Lens (ID: kdenlnncndfnhkognokgfpabgkgehodd) and ShotBird - Scrolling Screenshots, Tweet Images & Editor (ID: gengfhhkjekmlejbhmmopegofnoifnjp) were originally linked to a developer using the email akshayanuonline@gmail[.]com, with 7,000 and 800 users respectively; QuickLens is no longer available, while ShotBird remains live at the time of reporting.
An update on 17 February 2026 introduced capabilities to strip security headers, bypass CSP protections, and execute code via payloads fetched from a command-and-control server, stored in local storage and run on page load. Analyses describe a two-stage abuse chain—extension-side remote browser control plus host-side execution pivot via fake updates—and note the same actor appears to be behind both extensions, based on a shared C2 pattern and ownership-transfer infection vector. The disclosure highlights the broader risk posed by weaponised extensions in enterprise browser usage, according to The Hacker News.