Two Google Chrome extensions have recently become security hazards following their transfer of ownership. This transition has allowed them to be exploited for malicious purposes, including injecting harmful code and collecting sensitive user information.
Security Breach in Chrome Extensions
The extensions, originally developed by someone using the email “[email protected]” and associated with BuildMelon, were QuickLens and ShotBird. QuickLens, which had amassed 7,000 users, is no longer available. Conversely, ShotBird remains accessible and has been downloaded by approximately 800 users. The extension, intended for crafting professional visuals, was passed to another developer last month.
According to monxresearch-sec, QuickLens was put up for sale in October 2025 and subsequently changed hands by February 2026. Updates introduced to QuickLens enabled the removal of security headers from HTTP responses, facilitating the execution of unauthorized scripts across domains.
Technical Exploitation Details
The malicious update to QuickLens allowed arbitrary requests by stripping security headers like X-Frame-Options. Moreover, the extension could identify user details such as location and operating system, continuously polling an external server for JavaScript code to execute upon page loads.
Similarly, ShotBird was found to utilize direct callback functions to deliver harmful JavaScript. This script mimicked a Google Chrome update prompt, leading users to inadvertently download malicious software.
Impact and Response to Threats
The potential for credential theft and broader system compromise has been heightened due to these malicious extensions. Researchers suggest that the same threat actor could be behind both compromised extensions, using a similar command-and-control pattern.
To mitigate risk, users who installed these extensions should remove them immediately. Regular audits of browser extensions are advised to ensure no malicious add-ons compromise user data.
The issue underscores a broader problem within the extension ecosystem, where trusted extensions can be weaponized post-ownership transfer, posing significant threats to user security and privacy.
